top of page
Search
Writer's pictureMukesh Chanderia
Dec 27, 20212 min read

Palo Alto Basic Configuration

Updated: Feb 20, 2022

Set Static Ip address for Management Interface



Devices --> Setup --> Interfaces --> Management




Set DNS Server


Devices --> Setup --> Services



Change Default Interface for Different Services


Devices --> Setup --> Services --> Service Features --> Service Route Configuration





Device --> Setup --> Default Session Timeout





Create Zones


Let’s configure two zones named Inside and Outside. Go to Network> Zone>Add, Give the name Inside, select Type to be Layer3 and click OK. Create the same way other Zone Outside.








Configure Interfaces: Go to Network>Interfaces Click on ethernet1/1 interface change Interface Type: Layer3, set Virtual Router: default, set Security Zone: Outside, Click on IPv4 tab Assign IP Address: 192.168.112.2/24 and Click OK







Configure Routing: Each interface must be given virtual router. Network>Virtual Router>default we will add static routing. Static Routes>IPv4>Add we will go by choosing interface> ethernet1/1(as Outside), put 192.168.29.1 as the next hop due to our topology.





We may define next as VR as well in case we use separate VR for each zone.






Configure NAT/PAT: Let’s configure NAT using Dynamic IP and Port means translate all local LAN to only one IP address. I will NAT my Inside LAN 192.168.78.0/24 to 192.168.17.100 IP address of WAN. Policies > NAT > Add Let’s name it Inside-To-Outside.






Then let’s go to Translated Packet, Translation Type: Dynamic IP And Port, Address Type: Interface Address, Interface: our WAN interface ethernet 1/1 and IP Address: WAN IP. OK



Configure Security Policy: Now, create a Security Policy to allow access from Inside zone to Outside zone. Policies>Security>Add, Give the name to your Security Policy (Inside to Outside), Add Source Zone (Inside), Add Destination Zone (Outside), Allow access, in our case allowing all traffic.
















You may use traffic through Monitor Tab (requires license). There is also a session browser to show current ongoing session.




Go to The Application Command Center (ACC) to see network activities.



Configure Management Ip as static & also restrict the Ip address from which management is accessible.


Enable & Disable Telnet, ping & http




admin@PA-VM> configure

Entering configuration mode

[edit]


admin@PA-VM# delete deviceconfig system type dhcp-client


admin@PA-VM# delete deviceconfig system type static


admin@PA-VM# set deviceconfig system ip-address 192.168.112.130 netmask 255.255.255.0


admin@PA-VM# set deviceconfig system default-gateway 192.168.112.1


admin@PA-VM# commit


admin@PA-VM# run show system services


HTTP : Disabled

HTTPS : Enabled

Telnet : Disabled

SSH : Enabled

Ping : Enabled

SNMP : Disabled


Now by default management interface is OOB. Our aim is to make this interface accessable from an internal network.


We chose out "LAN Interface" i.e. ethernet 1/2


Network --> Interface Mgmt Profile name "Mgmt-Profile"



It gives us a warning that anyone who has access to a network configured to interface ethernet 1/2 can reach the firewall.






64 views0 comments

Recent Posts

See All

PANORAMA

Hook Firewall & Panorama Step 1: Go to Firewall and add the IP address of Primary and secondary Panorama. Step 2: Go to Panorama and in...

0 comments

Comments

bottom of page