Welcome to the first of many posts about Palo Alto Firewalls. This post will go over using a physical Palo Alto Firewall.
The model I will be using is a PA-200 with a PAN-OS of 8. As long as you use the same OS the screenshots should look identical. Older versions of PAN-OS should be similar or the same.
- Management Plane – Is essentially tied to the Management Port. It will have it’s own IP address, DNS and Default Gateway. In order to update your firewall, you will need to make sure the Management Plane/Port is set up correctly. This post will go over these tasks
- Data Plan – The data plane is the area in which the data flows. Typically the External Port will have a default gateway as well. This post will not cover this.
I will be creating a LAB setup that will be a subset of an existing network. The purpose of this setup is to allow you to play and work with a Palo Alto firewall from the comforts of a working network.
The first thing you need to know when setting up a Palo Alto is that the device’s management port is set to the IP address of 192.168.1.1.
If you plan to plug this port into your existing network and your IP range is also in 192.168.1.1 you will need to change this IP address by plugging a computer directly into the Managment port rather then plugging the management port into your existing network infrastructure.
My network is not part of the 192.168.1.X network so I will plug my Palo Alto management port into a switch and make sure that the Palo Alto device and Computer are on the same VLAN/Physical Network.
I will change my IP address from it’s 192.168.101.x network address to 192.168.1.2 /24. Doing this will allow my machine to talk with the Palo Alto firewall.
- Open your favorite browser (I find Chrom works the best) and go to https://192.168.1.1
You will be greeted with a warning that you are using a private cert instead of cert from a certificate authority. Tell your browser it is ok.
You will see the login page for the Palo Alto firewall. The default username and password is:
- user: admin
- pass: admin
When you have entered the login credentials click “Log In“.
You will see a warning that you haven’t changed the default password yet. Click “OK”
Click the Device Tab
To change things like
- Time Zone
Click Setup – Management TAB and then the General Settings Cog icon.
A window will pop open and you can enter the information. Here is an example of what I entered into the Palo Alto Device. When done click “OK”.
Please note that this setting and the rest of the settings we change will not be applied on the Palo Alto Firewall until I have hit commit!
Next we will update the DNS servers that the Management Plane. To do so stay in the setup section and click the Service TAB – then click the Services Cog
Enter your preferred DNS servers. Typically you would enter your Active Directory DNS servers. Today I chose to use the Google DNS server. Click OK
The next things we will change is the IP address of the Management Port. To do this stay in the setup section. Click the Interfaces TAB – Click Managment Interface.
As we have seen the default IP address is 192.168.1.1. We can specify the IP Address to be DHCP (only newer versions of PAN OS allow for this!) or a static IP address. Here is how I setup my device:
The next thing we will need to do is change the default password of your Palo Alto Firewall. To do this click on:
- Device TAB – Click Administrators Section – then click on admin
Change the password to your liking:
Now that we have finished the basic setup of the Palo Alto Firewall we will now need to commit our settings.
PLEASE NOTE – Since we are changing the IP address from 192.168.1.X network to the 192.168.101.x Network the progress bar will never reach 100%. The reason for this is the browser won’t be able to update progress bar to 100%. This “issue” is pretty typical on network devices that are being configured via it’s web managment. If you were using the command console it would complete as expected.
In my instance, the device got to 98%. Click Close.
You can now switch your computer’s IP address back to its normal network and you should be able to talk to the Palo Alto on the new IP address!
When you log in it is good to verify that the settings you have entered were applied. Notice right away you can tell the device was named propperly and that we are now logging in from the new network in the logs.
The last thing we should do is check our ability to SSH into our device and test connectivity using Ping and trace Route.
Open your favorite SSH client I use PuTTy. Enter the settings into the client. Here is mine:
accept thew SSH Key:
Log into the box using your username and password you enter into the Web Interface.
The first thing we want to do is ping google.com. The command to do this is:
ping host google.com
You should see that the name is resolved using DNS and that the box should be able to ping the server:
Another good test is a Trace Route. I blurred out my information.
I really hope you find this post informative and concise!