1

Palo Alto Lab Guide Version 8.0

Part-1

Agenda

3

1) Instructions2) Basic Lab setup 3) Management Interface configuration through CLI4) GUI login & Dashboard view Details5) View Default services enabled on Management Interface via GUI6) Enable HTTP service on Management Interface through CLI7) Role based access (Admin Profiles & Admin Accounts)8) Running Config & Candidate config9) Commit Lock and Test the Lock10)Host name & Time setting configuration 11) Banner & Message of the day configuration12) DNS configuration13) Dynamic Update 14) License Management15)Device Operations16) Backup & Restore

4

This field is required

Invalid

1. Instructions

commit Save changes to Running Config

GUI ACCESS INSTRUCTION

CLI ACCESS MODE INSTRUCTION

admin@PA-VM> Operational—Use operational mode to view information about

the firewall

admin@PA-VM# Configuration—Use configuration mode to view and modify the

configuration.

2. Basic lab Setup

4

FIREWALL INTERFACES

VLAN/VMNET ZONE IP ADDRESS SUBNET

Ethernet 1/0 VLAN 10 / VMNET 10 MGMT 103.0.0.254/24 103.0.0.0/24

Ethernet 1/1 VLAN 11 / VMNET 11 LAN 10.11.11.10/24 10.11.11.0/24

Ethernet 1/2 VLAN 12 / VMNET 12 DMZ 172.16.10.10/24 172.16.10.0/24

Ethernet 1/3 BRIDGED WAN 192.168.3.125/24 192.168.3.0/24

Ethernet 1/4 VLAN 13 / VMNET 13 HA1 41.0.0.10/24 41.0.0.0/24

Ethernet 1/5 VLAN 14 / VMNET 14 HA2 42.0.0.10/24 42.0.0.0/24

ADMIN PC VLAN 10 / VMNET 10 MGMT 103.0.0.10/24

LAN PC VLAN 11 / VMNET 11 LAN 10.11.11.5/24

DEVICES

1. PALO ALTO (2 DEVICES)2. ADMIN PC3. LAN PC4. DMZ SERVER

3. Management Interface configuration through CLI

4

Default login credentials through GUI & CLIusername = adminPassword = adminNote: ▪ Login credentials are case sensitive ▪ By default IP address on PA Hardware is 192.168.1.1/24▪ PA VM is by default configured to receive IP address from DHCP for management

Interface.▪ To delete auto DHCP use CLI command admin@PA-VM> configureEntering configuration mode[edit]admin@PA-VM# delete deviceconfig system type dhcp-client• Commit to save changes

5

Exiting configuration admin@PA-VM> show interface managementadmin@PA-VM> show System info

Management Interface configurationadmin@PA-VM> configure Entering configuration mode[edit] admin@PA-VM# set deviceconfig system ip-address 103.0.0.254 netmask 255.255.255.0 default-gateway x.x.x.x dns-setting servers primary x.x.x.x secondary admin@PA-VM# commitadmin@PA-VM# exit

Default Factory reset command admin@PA-VM>request system private-data-resetSystem reload command admin@PA-VM>request restart system

System shutdown command admin@PA-VM>request shutdown system

6

4. GUI login & Dashboard view Details

• Use browser https://103.0.0.254

7

View of Dashboard after login

8

View more information's on Dashboard

8

View active admin session through CLI

admin@PALO_ALTO> show adminsAdmin From Client Session-start Idle-for--------------------------------------------------------------------------admin 103.0.0.5 CLI 06/06 15:06:09 00:00:00s

To Delete admin sessions:admin@PALO_ALTO> delete admin-sessions

8

5. View Default services enabled on Management Interface via GUI

10

6. Enable http service on Management Interface through CLI

admin@PA-VM> configureadmin@PA-VM# set deviceconfig system service disable-http noadmin@PA-VM# commit

Show Commands

admin@PA-VM# set deviceconfig system service ?admin@PA-VM# show deviceconfig system service

Note : Here (disable-http no) means to enable http service

13

8. Running Config & Candidate config

Palo Alto Firewall comes with following config types:

Candidate Configuration Running Configuration

When we make any changes to the configuration of an existing parameters like Security Policy, zone, Virtual router etc. in the Palo Alto firewall and click OK , the Candidate Configuration is either created or updated.This type of configuration is known as Candidate Configuration.

when Commit tab at the top right corner of Web UI of the Palo Alto Firewall is clicked the Candidate Configuration is applied to the running configuration of the Palo Alto firewall. And the applied configuration is called running configuration.

13

Change Host-Name & time-zone on the Firewall to check difference between candidate config &Running Config

10

7. Role based access (Admin Profiles & Admin Accounts)

a. Create Admin Role Profile with name of Firewall Administrator with following Parameters

11

a. Create Admin Role Profile

12

a) Create User (user1) with password (Ab12345) & apply Admin role profileb) Commit to changes c) Test by logging to user1

13

9. Commit Lock and Test the Lock

The web interface supports multiple concurrent administrator sessions by enabling an administrator. Lock the candidate or running configuration so that other administrators cannot change the configuration until the lock is removed.

1. From the GUI get logged in with user1 & click the transaction lock icon to the right of the commit link.

2. Click Take Lock. A Take lock window opens3. Set the type to Commit, and click ok. The user1 lock is listed in the Locks window.

13

4. Click Close & logout on the bottom-left corner of the WebUI:5. Return to the WebUI where you are logged in as a admin6. Notice the lock icon Click on the icon to check locked users.7. Now try to commit the changes it will give you an information “Other administrators are holding device wide commit locks”.

13

10. Host name & Time setting configuration

15

11. Banner & Message of the day configuration

NOTE: Logout & re-login to see the effect.

16

12. DNS Configuration

Note: DNS configuration can be done in two ways a) CLI b) GUI

a) CLI admin@PALO_ALTO> configureadmin@PALO_ALTO# set deviceconfig system dns-setting servers primary 4.2.2.2 secondary 8.8.8.8

The DNS server configuration settings are used for all DNS queries that the firewall initiates in support of FQDN address abjects, logging & firewall managenent,.

16

DNS configuration through GUI

• Verify that 4.2.2.2 is the primary DNS Server & 8.8.8.8 is the secondary DNS Server• Verify that updates.paloaltonetworks.com is the Update Server

DYNAMIC UPDATES

18

13.

SOFTWARE UPDATES

19

16

14. License Management

Note: Internet connectivity is mandatory for licensing.

LICENSING

17

20

15. Device Operations

20

16. Backup & Restore

20

Backup has been saved locally on the Palo Alto now we need to Export on our PC.

20

Now you can see Backup file exported/Downloaded to your PC

20

Condition: After exporting Backup we did few changes on the firewall which went wrong & we need to bring firewall to the Backup taken state.

Step 1: Import backup file

20

Step 2: Now load it back to Firewall

QUIZ

21

QUIZ

22

QUIZ

23

QUIZ

24

END OF MODULE THANK YOU !

25