Palo Alto Networks Administration Basics


Introduction

Palo Alto Networks next-generation firewalls (NGFW) are security devices that possess a range of capabilities to meet current and future information security needs.

This blog provides the steps to get started on the path to becoming an exceptional Palo Alto Networks administrator.

Initial Steps

Take the following steps when preparing to manage a Palo Alto Networks firewall:

  • Create a Palo Alto Networks Support account (https://support.paloaltonetworks.com) and input the corresponding serial numbers and licenses for the designated firewall(s) provided in the purchase order email by accessing Assets>Devices and clicking the Register New Device button.
    Note: The Palo Alto Network firewalls support online and offline activation for licensing.
  • CLI access:
    • Physical Console: Baud Rate 9600 / Data Bits 8 / Parity None / Stop Bits 1 / Flow Control None
    • Default Username and Password is admin and admin.
    • Enter the configure command to go to configuration mode.
    • Enter the set deviceconfig system ip-address x.x.x.x (management IP) netmask .x.x.x.x (subnet mask) default-gateway x.x.x.x (default gateway) dns-setting servers primary x.x.x.x (primary DNS server) secondary x.x.x.x (secondary DNS server).
    • Enter the commit command to update the running configuration.
  • Default Administrator Account Password
    • Go to Device>Administrators and click on admin to change the Password from admin to a preferred local password.
  • Management Interface Settings
    • Go to Device>Setup>Management>Management Interface Settings and click the gear symbol to change the addresses & subnets permitted to access the Management Interface and the services running on the interface.

Note: The permitted subnet is now 192.168.242.0/24 and HTTPS, SSH, and Ping are allowed

  • Setting Up the Syslog Server
    • Go to Device>Server Profiles>Syslog and click Add
    • Enter a name for the Syslog Server Profile
    • Click Add, update the Name and Syslog Server (IP or FQDN) fields with the server, and click the OK button

Traffic Interfaces

The following are the common interfaces types that allow for connectivity to other network devices:

  • Tap – Monitors tapped traffic.
  • Layer 2 – Operates at Layer 2 and requires an external routing device for communication among interfaces that are in different VLANs.
  • Layer 3 – Operates at Layer 3, requires an IP address, and includes a virtual router instance on the NGFW. Use of this interface changes routing for adjacent network devices.
  • Virtual Wire – Combines two Ethernet interfaces to operate as a “bump in the wire” that can pass a subset or all traffic through these ports without changes to routing for adjacent network devices.
    • The two interfaces make up a Virtual Wire
  • High Availability (HA) – Used to support the high availability (active/passive or active/active) settings for a pair of the same NGFWs devices (the same model, PAN-OS version, and other settings are required).

  Note: Configure subinterfaces to segment traffic further for the physical Layer 2 and Layer 3 interface.

Let’s utilize ethernet1/3 and ethernet1/4 as a part of a Virtual Wire.

  • Go to Network>Interfaces and click on ethernet1/3 and ethernet1/4 and change the Interface Type dropdown to Virtual Wire and click the Ok button.
  • Go to Network>Virtual Wires and click Add. Enter a name in the Name field and update the Interface1 and Interface2 dropdowns with ethernet1/3 and ethernet1/4.

Zones

Zones are a grouping of interfaces on the NGFW that correspond to a specific traffic segment.

Here is some important information to know about Zones.

  • Zones can contain 1 or more interfaces
  • Each interface can only be assigned to 1 zone

Also, the four Zone types correspond to four of the Interface types: TAP, Virtual Wire, Layer 2, and Layer 3.

Let’s add ethernet1/3 to a Virtual Wire Zone named Untrust and ethernet1/4 to a Virtual Wire Zone named Indeni-Ex Internal Side.

  • Go to Network>Zones and click Add
  • Update the Name field
  • Change the Type dropdown to Virtual Wire, click Add in the Interfaces section and click the OK button

Address Objects/Groups

Address Objects can be created to represent a single IP address or IP range to be referenced in Policies on the firewall (Security, NAT, etc.). Address Groups include multiple Address Objects.

Let’s create an Address Object for 67.222.18.206 (indeni.com).

  • Go to Objects>Addresses, click Add, and update the Name field.
  • Enter 67.222.18.206 (field to the right of the Type dropdown) and click the OK button.

Applications/Services

The Palo Alto Network NGFWs can traffic as an application or a service. Here is the information these two traffic classifications:

    • Applications – App-IDs that identify the traffic regardless of the port utilized.
      • Viewed at Objects>Applications and https://applipedia.paloaltonetworks.com
      • Services – objects that identify traffic by protocol (TCP/UDP) and source/destination port(s).

Security Profiles

Security profiles scan security policies that have an action set to Allow (like an allow-if statement). The most commonly used security profiles are Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, and WildFire. Here is information on these profiles and the associated subscription licenses.

      • Threat Prevention License
        • Antivirus Profile – protects against viruses, worms, and trojans as well as spyware downloads.
        • Anti-Spyware Profile – identifies and prevents spyware on compromised hosts from successfully contacting external command-and-control (C2) servers.
        • Vulnerability Protection Profile – foils attempts to exploit system flaws or gain unauthorized access to systems.
      • URL License (PAN-DB or BrightCloud)
        • URL Filtering Profile – enables the admin to monitor and control how users access the web over HTTP and HTTPS.
      • WildFire License
        • WildFire Analysis Profile – utilizes the PAN cloud-based malware-analysis environment to identify unknown malware, zero-day exploits, and advanced persistent threats (APTs) through static and dynamic analysis in a scalable, virtual environment.
      • Go to Objects>Security Profile Group, click Add, update the Name field, and select default for the Antivirus, Antivirus, Vulnerability Protection, URL Filtering, and WildFire Analysis Profiles, and click the OK button.

Security Policies

Security policies are processed from first-to-last and first match wins to allow or deny traffic.
There are three types of security policies:

      • Intrazone – secures traffic flowing within a Zone and is allowed by the default security policy intrazone-default.
      • Interzone – secures traffic flowing between Zones and is denied by default.
        • Denied by the default security policy intrazone-default.
      • Universal – secures both types of Zone traffic and is the default security policy type.

Let’s create a security policy that allows any traffic from the Indeni-Ex Internal Side Zone to the indeni.com Address Object within the Untrust Zone.

      • Go to Policies>Security, click Add, and update the following tabs:
        • General>Name field
        • Source>Source Zone, click Add, and select Indeni-Ex Internal Side
        • Destination>Destination Zone, click Add, and select Untrust & Destination>Destination Address, click Add, and select the Indeni Website Address Object.
        • Actions>Profile Setting>Profile Type (Group) & Group Profile (name).
        • Log Forwarding, click New Profile, update the Name field, select the Syslog profile under Traffic Settings, click the OK button for Log Forwarding and click the OK button for the Security Policy.

Commit

The majority of the changes made to the firewall configuration are added to the candidate config—a staging area for changes that yet to be made active—and need to be committed to be included in the running config.

To add changes to the running config:

      • Click Commit
      • Click the Commit button

  Note: The Commit Status provides details on if the commit was successful.

We’re up and running…Let’s stay on track.

We just learned about change commitments for the Palo Alto Networks firewall. As a result, the configuration changes are literally operating in the running configuration. The information above introduced the initials steps for connecting to the firewall, the basics of firewall administration, and activating administrative changes. If more assistance is required, click on Help near the top-right of the GUI.

Have a great day!

This post was written by Indeni Crowd Community member, Paul Carter.

Connect with Paul and other Network Security experts today by joining Indeni Crowd, an IT professionals go-to for sharing best practices and building Network Security Automation scripts.

About the author
Paul Carter