Setting up a Palo Alto Networks Firewall for the First Time

July 19, 2021 By Rowell Leave a Comment

I recently added to my lab network is a Palo Alto Networks PA-820 next-generation firewall (NGFW). Over at Packet6, I’ve been getting into the PAN NGFWs for a while now and we are reselling Palo Alto Networks.

In this post, I’ll be going over a simple configuration to set up the PA-820 for the first time. The goal is to set up a LAN, WAN (using DHCP), and NAT to get internet access.

This process would be very similar for other models as well.

Keep in mind the version running on my firewall is v9.1.4.

Register your firewall

You’ll need to create an account on the Palo Alto Networks Customer Support Portal.

To register your firewall, you’ll need the serial number.

Sign into the portal.

Click on Register a Device

Select the radio for Register a device using Serial Number then click Next

Under Device Registration, you’ll need to fill out all the required information. This includes the serial number of the firewall and the location of where this firewall will be deployed. That last part is important for RMA’s. Then at the bottom you’ll need to agree with the Eula.

There’s an option to create a Day 1 configuration but I’m going to skip that for now.

When finished, your NGFW will be registered.

Access the NGFW

Plug into the MGMT interface of the firewall.

Set your NIC to 192.168.1.2 with a mask of 255.255.255.0. You will not receive DHCP leases from the MGMT interface.

Next, you’ll open a web browser to https://192.168.1.1. You should be presented with the login screen of the NGFW.

After logging in, you’ll be prompted to change the password for the admin account, which is a super user. The new password must be 8 characters in length and must contain an upper case, lower case, number or special character.

After changing the password, you may be kicked out to the login screen. Log back in with the new password.

You’ll be presented with a Welcome pop up. You can close it and view it again later. You’re now in the NGFW and ready to configure the rest of it!

Configure Device Settings

Next, we’ll configure some basic device settings. Nothing crazy.

Click on the Device tab. On the left navigation, click on Setup. Then in the middle pane, you should be in the Management tab. There is a General Settings section. Click on the Gear icon.

Let’s add a hostname, login banner, and set the time zone.

Here’s the login banner I used.

Packet6 LEGAL NOTICE

This is a private system which may be accessed and used for authorized business purposes only.

THERE IS NO RIGHT OF PRIVACY FOR ANY PERSON ACCESSING OR USING THIS SYSTEM.

Access or use of this information system constitutes consent to these terms.

Create a new super user

It’s only best practice to set up a new user account so you’re not using the default admin account.

Let’s create a new one. We can harden accounts later. This is just basic admin account creation.

On the left navigation click on Administrators then at the bottom click Add.

In the new pop up, type in the name of the account. We won’t set the Authentication Profile just yet so leave it at none. Create a password and select Dynamic for the Administrator Type. From the dropdown, select Super User.

There are two Administrator types:

• Dynamic
• Role Based

The latter would be a more secure way to define administrators. The Dynamic type uses the built-in roles:

• Superuser
• Superuser (read only)
• Virtual System Administrator
• Virtual System Administrator (read only)
• Device administrator
• Device administrator (read only)

Commit your changes

We’re now in a good spot to save our changes to the running configuration by commiting.

By using Commit, we take the Candidate configuration and apply it to the Running configuration.

The Commit button is at the top right.

You’ll be presented with a commit pop up where you can preview your changes and add a commit comment.

Before clicking on Commit, click on Preview Changes to see what is included in this Commit Scope.

It’s good practice to review the changes being applied so you don’t create an issue.

Click on Change Summary to get a different view of the changes. I like this view much better. There’s more detail such as the object that is being changed, the location, and the user account that created the change.

Additionally, we can Validate the changes for any errors.

Why don’t we add a commit comment for good practice and click Commit. It will take a moment

If the Result is Successful then good job!

Configuring Interfaces

Before we can have full network connectivity, we need to configure our interfaces.

Let’s create our first network. We will need an interface for our WAN and LAN. I’m going to configure the WAN on interface ethernet1/1 and the LAN on interface ethernet1/2.

Click on the Network tab and on the left navigation click on Interfaces.

By default, I have the two interfaces I want to configure set to an interface type of Virtual Wire (I won’t go over the interface types in this post). We will change this.

Configure the WAN interface

Click on ethernet1/1.

Give the interface a comment.

Click on the dropdown for Interface Type and change it to Layer3.

Under the Config tab, set the virtual router to default. I’ll cover virtual routers in another post.

Click on the IPv4 tab.

My WAN is DHCP only so I’m going to change the type to DHCP Client.

Then click on OK.

Click on Zones on the left navigation

By default, there will be two zones: trust and untrust.

Zones are for grouping physical and virtual interfaces.

Click on untrust.

Change the type to Layer 3.

Click on Add to include interface ethernet1/1.

Then click OK.

Go back to the Interfaces config section.

Click on interface ethernet1/2.

Add a comment for the interface.

Set the Interface Type to Layer3.

Change the Virtual Router to default. (We’ll get to the Security Zone soon.)

Click on the IPv4 tab.

We’re going to begin creating our LAN by configuring the gateway for the LAN to reside on interface ethernet1/2.

Leave the type to Static.

Under the IP section, click Add.

You’ll have the option to add the IP for your new network, I will type in 10.1.1.1/24.

Then click OK.

Go back to Zones.

Click on the trust zone.

Change the Type to Layer3.

Add interface ethernet1/2 to the Interfaces list and then click OK.

Configure DHCP

Our LAN needs a DHCP scope. We’re not animals, configuring only static IPs for our LAN, are we?

Under the Network tab, click on DHCP from the left navigation.

In the DHCP Server tab, click on Add and we’ll create a scope for our new network under 10.1.1.0/24. You can change that to whatever network you’ve selected as long as the static IP we created earlier is in the same subnet.

Select the LAN interface ethernet1/2 that we configured in the Interface dropdown.

Under the Lease tab, I like to select “Ping IP when allocating new IP” and setting a Lease Timeout.

Under IP Pools, click Add and create a scope like I have done.

Then click on the Options tab.

We need to set the Gateway, subnet mask, and DNS servers.

Then click OK.

Default-wire

Delete the default-vwire, as we’re not going to use it.

Default-wire is used with virtual-wire. You can read up on it on Palo Alto Networks’ website.

Commit

Let’s commit our changes from the candidate config to the running config.

Then, we test the LAN interface.

I plug in my laptop into ethernet1/2 and see if I get a DHCP lease.

Sweet, I get an IP address within the DHCP scope we configured. I see I have a gateway assigned and DNS servers. Can I ping the gateway, 10.1.1.1?

% ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
- – 10.1.1.1 ping statistics – -
5 packets transmitted, 0 packets received, 100.0% packet loss

If you want to allow ping replies then we’ll need to configure a Management Profile for the interface.

I’m going to plug back into the MGMT interface, where HTTPS and SSH is allowed.

Management Profile

Click on the Network Tab and on the left navigation click on Interface Mgmt under Network Profiles.
Just for simplicity and educational purposes, I’m going to create an interface management profile to allow HTTPS, SSH, and Ping on ethernet1/2.

Click on Add.

Create a name for this Interface Management Profile.

Enable HTTPS and SSH under the Administrative Management Services section.

Enable Ping under the Network Services section.

You can be more restrictive by allowing access to these services from specific IP addresses.

Click OK.

Click on the Interfaces sub menu item.

Click on ethernet1/2 (or your interface configured for the LAN).

Click on the Advanced tab.

Under the Other Info tab, click on the drop down for Management Profile and select the newly created Interface Management Profile.

Click OK.

You’ll be presented with a warning. Understand how this Interface Management Profile affects your network.
Continue by clicking on Yes.

Now, commit your changes.

Let’s test the LAN by plugging your laptop into ethernet1/2. Don’t forget to re-enable DHCP on your laptop interface and ping the gateway.

% ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.989 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.915 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=1.180 ms
^C
- – 10.1.1.1 ping statistics – -
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.915/1.028/1.180/0.112 ms

What about HTTPS? From the screenshot below you can see that it works. It even has our login banner. That will really scare away the bad guys And I can successfully log in with my newly created super user account.

You can even see the DHCP lease in the System Logs.

Plug in your WAN connection.

If I refresh my system logs we can see that my ISP’s modem provided a DHCP lease. It’s simple to setup the Palo Alto Networks NGFW WAN interface as a DHCP client.

Can we ping the internet? Nope!

% ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
- – 1.1.1.1 ping statistics – -
4 packets transmitted, 0 packets received, 100.0% packet loss

We need to configure NAT!

Click on the Policies tab and then NAT on the left navigation.

Click Add to create a new NAT policy.

In the new NAT Policy Rule window, create a Name, description, and Audit comment.

Then click on Original Packet tab.

For the source zone, add the trust zone. This is where ethernet1/2’s zone.

Under Destination Zone, select untrust from the drop down menu. That is the configured zone for our WAN interface, ethernet1/1.

For Destination Interface, you can leave it as any but I will select ethernet1/1 here.

Click on the Translated Packet tab.

Configure the Translation Type to Dynamic IP and Port.

Address Type to Interface Address.

Interface to our WAN interface.

IP address to None (because we’re using DHCP).

Click OK.

Commit changes.

Here’s what the NAT policy looks like.

Now test ping and web browsing.

% ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=55 time=30.468 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=55 time=28.170 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=55 time=27.824 ms
^C
- – 1.1.1.1 ping statistics – -
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 27.824/28.821/30.468/1.173 ms

DNS is good too.

% ping google.com
PING google.com (142.250.217.142): 56 data bytes
64 bytes from 142.250.217.142: icmp_seq=0 ttl=114 time=27.169 ms
64 bytes from 142.250.217.142: icmp_seq=1 ttl=114 time=26.697 ms
64 bytes from 142.250.217.142: icmp_seq=2 ttl=114 time=28.073 ms

Security ACLs

It’s important to note that there is a default ACL included, rule1. It allows traffic from the trust zone to the untrust zone.

You can see the Hit Count for the traffic.

You need to specify what’s allowed through the firewall, and rule1 is allowing any traffic originating from the trust zone out to the internet (untrust zone). With rule1 disabled, our traffic will not get to the Internet.

Our NAT policy has increasing hit count as well.

Closing Thoughts

This is the basic configuration of a Palo Alto Networks firewall where we configured our super user account, basic system configuration, interfaces, and NAT.

Our configuration will work for basic lab and internet use. There are advanced configurations to secure this firewall and the network which I will address in the future.

To see more tutorials like this, sign up for my email list. I’ll be going through more configurations of my PA-820 lab unit.