Palo Alto Firewall: Installation from Scratch till Panorama

This is my basic checklist when installing a new Palo Alto firewall. I used it for a few clusters during the last weeks. It shows the steps required for a PA firewall from the unpacking until it is plugged into Panorama, the central management platform from Palo Alto.

Here is the list. This is not a full step-by-step guide. That is: I have not referenced to any commits, or the like. You should know, when to commit or when to reboot. ;)

Basics for each device separately:

  1. Device -> Setup -> Management: General Settings (Hostname, Domain, Time), Management Interface Settings (IP Address, Netmask, Default Gateway)
  2. Device -> Setup -> Services: DNS Server, NTP Server
  3. Device -> Licenses: “Retrieve license keys from license server”, and if PAN-DB: download and activation

Delete default configuration:

  1. Policies -> Security: rule1
  2. Network -> Virtual Wires, Zones, Interfaces

Cluster High Availability:

  1. Dedicated interfaces OR interface type “HA” (Network -> Interfaces)
  2. Device -> High Availability -> General Setup: Enable, Group ID, Peer HA1 IP Address
  3. Control Link (HA1): Port, IP Address, etc.
  4. Same for Data Link (HA2), if used

Upgrades:

  1. Device -> Dynamic Updates: “Check Now”
  2. Install at least Applications and Threats (needed for PAN-OS upgrade), Download with “Sync To Peer”, installation on both HA devices separately
  3. Device -> Software: “Check Now”
  4. Download and Sync To Peer
  5. Install PAN-OS on both HA devices separately (+ reboot)

Panorama:

  1. On both HA devices: Device -> Setup -> Management -> Panorama Settings: IP Address
  2. On Panorama: Panorama -> Managed Devices -> Add: serial numbers of both HA devices
  3. Panorama -> Templates: Add the cluster to a new OR existing one
  4. Panorama -> Device Groups: Add the cluster to a new OR existing one
  5. Template -> Device -> Setup -> Services: DNS Server, NTP Server (Commit with “Force Template Values”)
  6. Template -> Device -> Administrators: Create at least one admin account (Superuser)
  7. On each HA device: Delete the admin/admin account!
  8. On Panorama: Template -> Device -> Dynamic Updates: Schedule all needed sections. (Commit with “Force Template Values”)

I am doing at least one “Force Template Values” commit after these installation steps. For example, this forces the DNS settings to come completely from Panorama (green symbol) and not from the overridden configuration from the local device (green/orange symbol).

Now in Panorama:

I am configuring at least two further objects for each firewall template, because they have mostly the same settings among all HA clusters:

  1. Templates -> Network -> Network Profiles -> Interface Mgmt: Add the needed profiles, e.g., “untrust-mgmt”, “trust-mgmt”, “only-ping”, or the like
  2. Templates -> Network -> Network Profiles -> Zone Protection: Add the needed profiles, e.g., “zoneprotection-untrust” and “zoneprotection-turst” with the appropriate values

Now the device is fully integrated into Panorama and can be configured through it. That is, all further settings such as interfaces and routes, objects, policies, etc., are installed through Panorama.

Featured image “Fresh Start” by Alan Levine is licensed under CC BY 2.0.

23 thoughts on “Palo Alto Firewall: Installation from Scratch till Panorama

  1. couple questions
    Do I need to configure anything in HA in panorama under device tab?
    also when commit configuration do I commit only active?
    also do I need to make each firewall has different IP address for public and private?

    1. Hi Mike,

      1) If you have a single firewall that you want to manage via Panorama, you do not need to do something with HA. My list just provides my steps for importing a HA-cluster into panorama. If you don’t have HA-clusters, just ignore it.
      2) If you have a HA-cluster in panorama, it automatically summarizes them as a HA-pair. When you do a commit from Panorama to the devices, you can select whether you want to commit to a single device (not recommended) or to the HA-pair.
      3) No, you don’t need different IP addresses for data interfaces. Only (!) the management interface IP address must be unique. Palo has no HA concept of “floating” or “virtual” IP addresses. It only has one single active IP address that always resides on the currently active unit.

  2. Hello,
    I have configured PA firewall version 6 on a VM ESX for training and I do not have a license yet. I am working on that with my salesperson. Anyhow I created all of my interfaces and assigned layer3 IP addresses to each of the Palo’s interface however I am not able to ping the layer 3 IP interfaces. The only one that works is my management IP address. Is this not working because I am missing the license? Thank you in advance.

    1. This is a configuration problem. You must configure an Interface Management profile (under Network -> Network Profiles -> Interface Mgmt) which allows at least ping. Then you have to bind this profile to the interface (unter Interfaces -> select your interface -> Advanced -> Management Profile).
      Cheers,
      Johannes

  3. Hello,
    We are configuring a new PA which will have its own rule set, is there any value in hosting these rules on Panorama and pushing them to the firewall or do you recommend local rules on the firewall ?
    Thanks !!

    1. It depends. If you plan to have lots of firewalls, you should use a centralized management, i.e., Panorama. If you host only one single firewall, you don’t need it.

  4. Hi Sir,

    I am new to Palo Alto Panorama M-100. My question is, how to separate management traffic from log collection, as per the admin guide the log collection can be delegated to one of the interfaces available such as eth1 or eth2, however I dont understand if I will configure an IP address to the interface for log collection and if an IP is needed will it be an IP same subnet of the management IP?.

    Thanks,

    Francis

  5. Hi,

    I have remote site PA firewalls and also Panorama, so in this case if i want to configure dhcp server/relay agent on remote site device, do i need to push it through Panorama or directly on device, please let me know. It would be great if you can explain well.

    1. Hi Bala,

      In your case if the PA Firewall is already managed by the Panorama then you can push the config via Panorama using if it has already existing Template.

      Thanks,
      Francis

  6. Please need your feedback i have PA HA pair both Management interface connect to our management layer 2 switch problem is i can access one PA through Mang IP but i cannot access other any body help me what is is issue.

    1. Hi Awais,
      the Palo Alto Management Interface is nothing more than a normal “host” interface such as any Linux machine or whatever. Have you really checked:
      – the management IPv4 address (of course it must be unique on the subnet!)
      – subnet mask
      – default gateway
      – enabled https/ssh
      – layer 2 vlan of your switch
      – and so on?

      This is probably not a Palo Alto problem, but a simple layer2/3 problem within your network of within the management port configuration.
      Cheers,
      Johannes

      1. Hi Johannes,

        Thanks for your replay i agreed with you but my concern is i have tow PA
        one is accessible with same vlan but second is not accessible same config on switch side.

  7. Hello,

    Johannes Weber & Francis
    your prompt response highly appropriated please reomend we will go Panorama config we have PA HA pair.

  8. Hi, We’ve Palo alto HA pairs managed by Panorama. My query is, what will happen if we make config changes in PA firewall locally, instead of Panorama. And, will i be able to install the configurations successfully..

    Will it create any config sync error like how Cisco CSM generates. Please assist.

    1. Hi Srinivasan,

      please have a look at the Palo Alto documentation. It is explained in detail there.

      Short story: You can “override” almost all settings locally. Later on, you can “revert” them back. You’ll such small green/yellow icons on all settings. Be careful: You can also “force” all settings from Panorama. This will revert all local settings.

      You won’t run into config sync errors.

    1. Hey JP,

      that’s a good question. Normally we are configuring everything through Panorama *except* the HA settings and the mgmt-interface settings, because they are different on both members. (Unlike all interfaces that are the same for both member.)

      If you want to configure the cluster completely from Panorama you need two different templates and template stacks for both of them. But again, I am not doing it that way.

      Cheers, Johannes

      1. Thanks much. So I can configure HA first using Firewall settings and then I can add to Panorama for the central mgmt kind of things.

      2. Hi,

        I want to migrate one PA cluster from PA 2000 to PA 3200. Is there any process document to follow please?

        1. Hey JP,

          I don’t have a documentation for this – but it should be fairly easy. Of course you need to check the interfaces, but the policies and so on should remain the same.

          Good luck,
          Johannes

          1. Thank you so much Johannes. Should I worry about the software version between the old and new FW?

            Few document says it should be similar version and few says one version different Shouldn’t be an issue?

            Please suggest as I’ll use the device state export and import back up for the migration.

            Thanks
            JP

            1. Hello Jyoti,

              to be honest, I am not 100 % sure. I would try to use the same PAN-OS version.

              However, please open a support ticket for your questions at PAN directly. They should provide you the most appropriate information.

              Cheers
              Johannes

  9. I have a requirement of creating creating multiple vsys on PA5220,all vsys will be suppoting same organization,can someone help in giving me steps of creating the vsys and migrating the existing firewalls to new vsys created

Leave a Reply

Your email address will not be published. Required fields are marked *