This is my basic checklist when installing a new Palo Alto Networks firewall. It shows the steps required for a PANW firewall from unpacking until it is connected to Panorama, the central management platform from Palo Alto Networks.
This is not a full step-by-step guide. That is: I have not referenced any commits, or the like. You should know when to commit or when to reboot. ;)
Basics for each device separately:
- Start the firewall for the very first time, connect via a console cable, and exit the “ZTP” mode with a “yes” and “y”.
- You are forced to change the default admin password.
- Disable the ZTP mode *again*, because there is still some zombie config left. :(
The system reboots immediately after that. Once again, you’ll run into the default admin password. ;)1set system ztp disable - Set at least the Mgmt interface IP settings, DNS server and NTP server:
1234configureset deviceconfig system ip-address <IP> netmask <MASK> default-gateway <IP> dns-setting servers primary <IP>set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP>commit - [optional, if not done via Panorama later on] Connect via Ethernet to the Mgmt interface. Change the following settings: Device -> Setup -> Management: General Settings -> Hostname, Domain, Timezone
- Device -> Licenses: “Retrieve license keys from license server” (Assuming that you’ve already licensed the serials in the Customer Support Portal.)
- Device -> Dynamic Updates: “Check Now”. Install at least Applications and Threats (needed for PAN-OS upgrade), download and install. Be aware that some pre-defined EDLs come with Antivirus only. If you need them later on, please install an Antivirus package as well. (“Check Now” again.)
- Device -> Software: “Check Now”. Refer to the “Preferred Release Guidance” to choose your PAN-OS; download, install, and reboot
*Delete* default configuration:
- Policies -> Security: rule1
- Network -> 1x Virtual Wires, 2x Zones, 2x Interfaces
[optional] Enable Advanced-Routing:
- Delete the “default” virtual router
- Device -> Setup -> Management -> General Settings: Enable “Advanced Routing”. Followed by a “Skip”, since no migration from VR -> LR is needed. (GUI refreshes.)
- Commit. Reboot.
Cluster High Availability:
- Dedicated interfaces OR interface type “HA” under Network -> Interfaces
- Device -> High Availability -> General Setup: Enable, Group ID, Peer HA1 IP Address
- Control Link (HA1): Port, IP Address, etc.
- Same for Data Link (HA2), but of course, other IP addresses (or “ethernet” as type)
Panorama:
- Assuming you’ve connected both firewalls with their Mgmt interfaces to your Mgmt network that is reachable. ;)
- On Panorama: Panorama -> Managed Devices -> Add: serial numbers of both devices, “Generate Auth Key” and “Copy Auth Key to Clipboard”. I personally prefer to NOT associate the devices at this point. That is: *uncheck* the “Associate Devices”. Commit to Panorama.
- On both devices: Device -> Setup -> Management -> Panorama Settings: IP Address & copied “auth key” from Panorama. Commit on *both* devices independently!
- Panorama -> Templates: Add the cluster to a new OR existing template stack
- Panorama -> Device Groups: Add the cluster to a new OR existing device group
- Template -> Device -> Administrators: Create at least one admin account (Superuser)
- On each device: Delete the “admin” account! (I’m not 100 % sure whether or not the deletion of an admin account is synced or not.)
I am doing at least one “Force Template Values” commit after these installation steps. For example, this forces the DNS settings to come completely from Panorama (green symbol) and not from the overridden configuration from the local device (green/orange symbol).
Now the device is fully integrated into Panorama and can be configured through it. That is, all further settings, such as interfaces and routes, objects, policies, etc., are installed through Panorama.
Featured image “Fresh Start” by Alan Levine is licensed under CC BY 2.0.
couple questions
Do I need to configure anything in HA in panorama under device tab?
also when commit configuration do I commit only active?
also do I need to make each firewall has different IP address for public and private?
Hi Mike,
1) If you have a single firewall that you want to manage via Panorama, you do not need to do something with HA. My list just provides my steps for importing a HA-cluster into panorama. If you don’t have HA-clusters, just ignore it.
2) If you have a HA-cluster in panorama, it automatically summarizes them as a HA-pair. When you do a commit from Panorama to the devices, you can select whether you want to commit to a single device (not recommended) or to the HA-pair.
3) No, you don’t need different IP addresses for data interfaces. Only (!) the management interface IP address must be unique. Palo has no HA concept of “floating” or “virtual” IP addresses. It only has one single active IP address that always resides on the currently active unit.
Hello,
I have configured PA firewall version 6 on a VM ESX for training and I do not have a license yet. I am working on that with my salesperson. Anyhow I created all of my interfaces and assigned layer3 IP addresses to each of the Palo’s interface however I am not able to ping the layer 3 IP interfaces. The only one that works is my management IP address. Is this not working because I am missing the license? Thank you in advance.
This is a configuration problem. You must configure an Interface Management profile (under Network -> Network Profiles -> Interface Mgmt) which allows at least ping. Then you have to bind this profile to the interface (unter Interfaces -> select your interface -> Advanced -> Management Profile).
Cheers,
Johannes
Hello,
We are configuring a new PA which will have its own rule set, is there any value in hosting these rules on Panorama and pushing them to the firewall or do you recommend local rules on the firewall ?
Thanks !!
It depends. If you plan to have lots of firewalls, you should use a centralized management, i.e., Panorama. If you host only one single firewall, you don’t need it.
Hi Sir,
I am new to Palo Alto Panorama M-100. My question is, how to separate management traffic from log collection, as per the admin guide the log collection can be delegated to one of the interfaces available such as eth1 or eth2, however I dont understand if I will configure an IP address to the interface for log collection and if an IP is needed will it be an IP same subnet of the management IP?.
Thanks,
Francis
Hi,
I have remote site PA firewalls and also Panorama, so in this case if i want to configure dhcp server/relay agent on remote site device, do i need to push it through Panorama or directly on device, please let me know. It would be great if you can explain well.
Hi Bala,
In your case if the PA Firewall is already managed by the Panorama then you can push the config via Panorama using if it has already existing Template.
Thanks,
Francis
Please need your feedback i have PA HA pair both Management interface connect to our management layer 2 switch problem is i can access one PA through Mang IP but i cannot access other any body help me what is is issue.
Hi Awais,
the Palo Alto Management Interface is nothing more than a normal “host” interface such as any Linux machine or whatever. Have you really checked:
– the management IPv4 address (of course it must be unique on the subnet!)
– subnet mask
– default gateway
– enabled https/ssh
– layer 2 vlan of your switch
– and so on?
This is probably not a Palo Alto problem, but a simple layer2/3 problem within your network of within the management port configuration.
Cheers,
Johannes
Hi Johannes,
Thanks for your replay i agreed with you but my concern is i have tow PA
one is accessible with same vlan but second is not accessible same config on switch side.
Hello,
Johannes Weber & Francis
your prompt response highly appropriated please reomend we will go Panorama config we have PA HA pair.
Hi, We’ve Palo alto HA pairs managed by Panorama. My query is, what will happen if we make config changes in PA firewall locally, instead of Panorama. And, will i be able to install the configurations successfully..
Will it create any config sync error like how Cisco CSM generates. Please assist.
Hi Srinivasan,
please have a look at the Palo Alto documentation. It is explained in detail there.
Short story: You can “override” almost all settings locally. Later on, you can “revert” them back. You’ll such small green/yellow icons on all settings. Be careful: You can also “force” all settings from Panorama. This will revert all local settings.
You won’t run into config sync errors.
Hi,
What settings we need to perform on Panorama to set up the HA pair.
Thanks
JP
Hey JP,
that’s a good question. Normally we are configuring everything through Panorama *except* the HA settings and the mgmt-interface settings, because they are different on both members. (Unlike all interfaces that are the same for both member.)
If you want to configure the cluster completely from Panorama you need two different templates and template stacks for both of them. But again, I am not doing it that way.
Cheers, Johannes
Thanks much. So I can configure HA first using Firewall settings and then I can add to Panorama for the central mgmt kind of things.
Hi,
I want to migrate one PA cluster from PA 2000 to PA 3200. Is there any process document to follow please?
Hey JP,
I don’t have a documentation for this – but it should be fairly easy. Of course you need to check the interfaces, but the policies and so on should remain the same.
Good luck,
Johannes
Thank you so much Johannes. Should I worry about the software version between the old and new FW?
Few document says it should be similar version and few says one version different Shouldn’t be an issue?
Please suggest as I’ll use the device state export and import back up for the migration.
Thanks
JP
Hello Jyoti,
to be honest, I am not 100 % sure. I would try to use the same PAN-OS version.
However, please open a support ticket for your questions at PAN directly. They should provide you the most appropriate information.
Cheers
Johannes
I have a requirement of creating creating multiple vsys on PA5220,all vsys will be suppoting same organization,can someone help in giving me steps of creating the vsys and migrating the existing firewalls to new vsys created