1
Palo Alto Lab Guide Version 8.0
Part-1
Agenda
3
1) Instructions2) Basic Lab setup 3) Management Interface configuration through CLI4) GUI login & Dashboard view Details5) View Default services enabled on Management Interface via GUI6) Enable HTTP service on Management Interface through CLI7) Role based access (Admin Profiles & Admin Accounts)8) Running Config & Candidate config9) Commit Lock and Test the Lock10)Host name & Time setting configuration 11) Banner & Message of the day configuration12) DNS configuration13) Dynamic Update 14) License Management15)Device Operations16) Backup & Restore
4
This field is required
Invalid
1. Instructions
commit Save changes to Running Config
GUI ACCESS INSTRUCTION
CLI ACCESS MODE INSTRUCTION
admin@PA-VM> Operational—Use operational mode to view information about
the firewall
admin@PA-VM# Configuration—Use configuration mode to view and modify the
configuration.
2. Basic lab Setup
4
FIREWALL INTERFACES
VLAN/VMNET ZONE IP ADDRESS SUBNET
Ethernet 1/0 VLAN 10 / VMNET 10 MGMT 103.0.0.254/24 103.0.0.0/24
Ethernet 1/1 VLAN 11 / VMNET 11 LAN 10.11.11.10/24 10.11.11.0/24
Ethernet 1/2 VLAN 12 / VMNET 12 DMZ 172.16.10.10/24 172.16.10.0/24
Ethernet 1/3 BRIDGED WAN 192.168.3.125/24 192.168.3.0/24
Ethernet 1/4 VLAN 13 / VMNET 13 HA1 41.0.0.10/24 41.0.0.0/24
Ethernet 1/5 VLAN 14 / VMNET 14 HA2 42.0.0.10/24 42.0.0.0/24
ADMIN PC VLAN 10 / VMNET 10 MGMT 103.0.0.10/24
LAN PC VLAN 11 / VMNET 11 LAN 10.11.11.5/24
DEVICES
1. PALO ALTO (2 DEVICES)2. ADMIN PC3. LAN PC4. DMZ SERVER
3. Management Interface configuration through CLI
4
Default login credentials through GUI & CLIusername = adminPassword = adminNote: ▪ Login credentials are case sensitive ▪ By default IP address on PA Hardware is 192.168.1.1/24▪ PA VM is by default configured to receive IP address from DHCP for management
Interface.▪ To delete auto DHCP use CLI command admin@PA-VM> configureEntering configuration mode[edit]admin@PA-VM# delete deviceconfig system type dhcp-client• Commit to save changes
5
Exiting configuration admin@PA-VM> show interface managementadmin@PA-VM> show System info
Management Interface configurationadmin@PA-VM> configure Entering configuration mode[edit] admin@PA-VM# set deviceconfig system ip-address 103.0.0.254 netmask 255.255.255.0 default-gateway x.x.x.x dns-setting servers primary x.x.x.x secondary admin@PA-VM# commitadmin@PA-VM# exit
Default Factory reset command admin@PA-VM>request system private-data-resetSystem reload command admin@PA-VM>request restart system
System shutdown command admin@PA-VM>request shutdown system
7
View of Dashboard after login
8
View more information's on Dashboard
8
View active admin session through CLI
admin@PALO_ALTO> show adminsAdmin From Client Session-start Idle-for--------------------------------------------------------------------------admin 103.0.0.5 CLI 06/06 15:06:09 00:00:00s
To Delete admin sessions:admin@PALO_ALTO> delete admin-sessions
8
5. View Default services enabled on Management Interface via GUI
10
6. Enable http service on Management Interface through CLI
admin@PA-VM> configureadmin@PA-VM# set deviceconfig system service disable-http noadmin@PA-VM# commit
Show Commands
admin@PA-VM# set deviceconfig system service ?admin@PA-VM# show deviceconfig system service
Note : Here (disable-http no) means to enable http service
13
8. Running Config & Candidate config
Palo Alto Firewall comes with following config types:
Candidate Configuration Running Configuration
When we make any changes to the configuration of an existing parameters like Security Policy, zone, Virtual router etc. in the Palo Alto firewall and click OK , the Candidate Configuration is either created or updated.This type of configuration is known as Candidate Configuration.
when Commit tab at the top right corner of Web UI of the Palo Alto Firewall is clicked the Candidate Configuration is applied to the running configuration of the Palo Alto firewall. And the applied configuration is called running configuration.
13
Change Host-Name & time-zone on the Firewall to check difference between candidate config &Running Config
10
7. Role based access (Admin Profiles & Admin Accounts)
a. Create Admin Role Profile with name of Firewall Administrator with following Parameters
11
a. Create Admin Role Profile
12
a) Create User (user1) with password (Ab12345) & apply Admin role profileb) Commit to changes c) Test by logging to user1
13
9. Commit Lock and Test the Lock
The web interface supports multiple concurrent administrator sessions by enabling an administrator. Lock the candidate or running configuration so that other administrators cannot change the configuration until the lock is removed.
1. From the GUI get logged in with user1 & click the transaction lock icon to the right of the commit link.
2. Click Take Lock. A Take lock window opens3. Set the type to Commit, and click ok. The user1 lock is listed in the Locks window.
13
4. Click Close & logout on the bottom-left corner of the WebUI:5. Return to the WebUI where you are logged in as a admin6. Notice the lock icon Click on the icon to check locked users.7. Now try to commit the changes it will give you an information “Other administrators are holding device wide commit locks”.
13
10. Host name & Time setting configuration
15
11. Banner & Message of the day configuration
NOTE: Logout & re-login to see the effect.
16
12. DNS Configuration
Note: DNS configuration can be done in two ways a) CLI b) GUI
a) CLI admin@PALO_ALTO> configureadmin@PALO_ALTO# set deviceconfig system dns-setting servers primary 4.2.2.2 secondary 8.8.8.8
The DNS server configuration settings are used for all DNS queries that the firewall initiates in support of FQDN address abjects, logging & firewall managenent,.
16
DNS configuration through GUI
• Verify that 4.2.2.2 is the primary DNS Server & 8.8.8.8 is the secondary DNS Server• Verify that updates.paloaltonetworks.com is the Update Server
DYNAMIC UPDATES
18
13.
SOFTWARE UPDATES
19
16
14. License Management
Note: Internet connectivity is mandatory for licensing.
LICENSING
17
20
15. Device Operations
20
16. Backup & Restore
20
Backup has been saved locally on the Palo Alto now we need to Export on our PC.
20
Now you can see Backup file exported/Downloaded to your PC
20
Condition: After exporting Backup we did few changes on the firewall which went wrong & we need to bring firewall to the Backup taken state.
Step 1: Import backup file
20
Step 2: Now load it back to Firewall
QUIZ
21
QUIZ
22
QUIZ
23
QUIZ
24
END OF MODULE THANK YOU !
25