Palo Alto - PCNSA Prep - Base System Setup

In this post, we will see what the minimum configuration is for Palo Alto firewalls where there is no DHCP enabled. The mgmt interface is configured to use DHCP to get basic system configuration started. The firewall is typically configured via the web GUI, however CLI configuration is optional. We will be using EVE-NG as our testing platform, when a PA firewall is initially deployed, a VNC connection is established that allows interaction with the firewall. 

The above topology will be used, it may change slightly between posts, but should be the same throughout the series.

Power on the PA firewall and click on the icon to launch the VNC connection. 

As soon as the firewall is booted up, in PAN-OS 9.X and newer versions, you're automatically prompted to update the default admin password. This is done for the CLI and the WebGUI.

PA-VM login: admin

Password: admin

Enter old password : admin

Enter new password : P@ssw0rd

Confirm password : P@ssw0rd

For lab purposes, I am using a simple password, in production, you would follow a higher standard.

admin@PA-VM> configure
admin@PA-VM# set deviceconfig system ip-address 10.255.1.61
admin@PA-VM# set deviceconfig system netmask 255.255.255.0
admin@PA-VM# set deviceconfig system default-gateway 10.255.1.1
admin@PA-VM# set deviceconfig system hostname PA1
admin@PA-VM# set deviceconfig system type static

admin@PA-VM# set deviceconfig system timezone America/Chicago
admin@PA-VM# commit

Commit job 2 is in progress. Use Ctrl+C to return to command prompt
.....55%.99%........100%
Configuration committed successfully

admin@PA1# show deviceconfig system
system {
  type {
    static;
  }
  update-server updates.paloaltonetworks.com;
  update-schedule {
    threats {
      recurring {
        weekly {
          day-of-week wednesday;
          at 01:02;
          action download-only;
        }
      }
    }
  }
  timezone America/Chicago;
  service {
    disable-telnet yes;
    disable-http yes;
  }
  hostname PA1;
  ip-address 10.255.1.61;
  netmask 255.255.255.0;
  default-gateway 10.255.1.1;
  dns-setting {
    servers {
      primary 8.8.8.8;
    }
  }
}

admin@PA1# exit
Exiting configuration mode
admin@PA1> ping host 10.255.1.1
PING 10.255.1.1 (10.255.1.1) 56(84) bytes of data.
64 bytes from 10.255.1.1: icmp_seq=1 ttl=255 time=1.10 ms
64 bytes from 10.255.1.1: icmp_seq=2 ttl=255 time=1.35 ms
64 bytes from 10.255.1.1: icmp_seq=3 ttl=255 time=1.33 ms
64 bytes from 10.255.1.1: icmp_seq=4 ttl=255 time=1.25 ms
64 bytes from 10.255.1.1: icmp_seq=5 ttl=255 time=1.28 ms
^C
--- 10.255.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms

rtt min/avg/max/mdev = 1.108/1.267/1.359/0.095 ms

From the PA, we test connectivity to the default gateway, we get ping replies back.



We ping the IP address of the PA mgmt interface, we get ICMP echo-replies back, we have connectivity.



Opening a web browser to the firewall and point to 10.255.1.61. We receive a login prompt.
The default Username: admin
The updated Password: P@ssw0rd