Objectives Connect to the firewall and login as admin Configure the network settings for the management interface port Describe the difference between the running configuration and the candidate configuration Configure dynamic firewall updates to update the applications and threats database Create a local firewall administrative account Access the firewall logs The Palo
Alto firewalls are built in with a dedicated out of band network management port. This port only passes traffic for management functions of the firewall, it cannot be configured as a standard traffic interface. It can be used for direct connectivity to the management plane of the firewall. The default IP address of the firewall is 192.168.1.1 for most physical models. The default address for virtual firewalls is set to recieve an address from a DHCP server. Any initial
configuration for a Palo Alto firewall must be performed from the dedicated mangement port, labeled MGT, or via a serial connection to the console port. The baud rate and settings for the serial connection is 9600-8-N-1 The default username and password for the Palo Alto are: Username: admin Password: admin The firewall will prompt you to change these credentials in the CLI and web interface away from the defaults. The password for the administrator on the
firewall is stored in the firewalls XML configuration file, but is encrypted using the firewalls master key. There are four ways of accessing the firewalls administrative functions Web Interface – The most common way to configure and monitor a Palo Alto firewall. The graphical web interface provides detailed administrative and reporting tools in a browser format. SSH or Console (Command Line Interface) – The CLI allows
access to the firewall to display status and configuration information. It allows modification too. The CLI can be accessed through SSH, Telnet, or the serial console. Panorama – If multiple firewals are deployed, Panorama can be used to manage configurations, policies, software and dynamic content updates all in one place. Panorama aggregates data from all the firewalls and can display them all within the Panorama web application REST XML API – The REST based interface allows access
to operational status, reports and packet captures. Like the other methods, it allows access to configure the firewall too. The XML API can be configured to capture login events and send them to the firewall. The API is implemented using HTTP/HTTPS requests and responses. An API browser is also present on the firewall, by appending /api at the end of the firewalls URL, for example: To reset the Palo Alto firewall back to factory configuration,
if the password is known enter the CLI interface and enter the following command: This command will erase all logs, reset all settings, and saves a default configuration once the management IP address has changed. If the password is not known to the firewall, reboot the firewall and whilst it is starting up, enter the command After some time, the firewall wil offer you the option to reset to factory defaults via the menu option Reset to Factory Default On the system you will access the Palo Alto, change it’s IP address to one in the 192.168.1.0/24 subnet (anything between 192.168.1.2 – 192.168.1.254) Once the configuration has been applied, connect to the MGT port via an ethernet cable to your device After some seconds have passed, open a web browser and navigiate to https://192.168.1.1 A Palo Alto login prompt page should appear, log in to the firewall using the default username and password
of admin / admin Once logged into the firewall, navigate to the Device -> Setup -> Interfaces section Click Management A window will open up, configure the network settings for the management interface as required Commit the configuration, and reconnect to the web interface using the new network configuration Configuring General SettingsUnder Device -> Setup -> Management -> General Settings -> [Gear Icon] From top to bottom of this pop-up window. Hostname – An identifiable name for the firewall that can contain up to 31 characters. These characters can contain a mix of alphanumeric, hypen and underscore characters. The default hostname is the model of the firewall. Domain Name – By default, this is empty. Can contain up to 31 alhanumeric, hypen, or underscore characters DHCP Checkboxes:
Login Banner, configures a pop-up message to present when logging into the Palo Alto firewall SSL/TLS Service Profile: When SSL/TLS is in use, the firewall requires a digital certificate that wil be trusted by the clients Long/Lang: Configure these settings to put the firewall on the map under the ACC tab Configure DNS and NTP serversGo to: Device -> Setup -> Services -> [Gear Icon] DNS server configuration is required in order for the Palo Alto firewall to reach update servers The NTP configuration is optional, but it’s recommended. It makes it easier for a human to read through the logs! Note, if the management interface has been configured by DHCP. These values can be assigned to the firewall automatically via DHCP The Services window also allows the domain name of the update server to be configured, to grab the latest sofrware and any updates to the threat database. Clicking the checkbox to validate the update servers identity adds a level security between the firewall and the update server. Service RoutesTo access external services, the management port is used by default. These external services would be:
If the managment port is does not wish to be used for these services, an alternative port or logical interface can be configured to be used instead. This will be configured under the panel in: Device -> Setup -> Services -> Service Route Configuration Configuration TypesThe firewall has two types of main configuration, the running configuration and the candidate configuration. The running configuration is the actual configuration running on the Palo Alto firewall. It’s maintained in a file on the firewall called running-config.xml The running configuration is copied to the candidate configuration file during startup. Any edits made before a commit are made to the candidate configuration. Once a commit has been made, the candidate configuration overwrites the running configuration. The firewall saves the previous running configuration and labels these by a date and timestamp. The web interface contains a set of operations that can be used to manage the running and candidate configurations. Global Configuration ManagementThe Configuration Management section, in Device -> Setup -> Operations contains options for global configuration management (For all administrators changes, rather than one admin) Revert, Save, and Load manage local configurations on the firewall Export operations transfer configurations as XML formatted files to accessing host accessing the Palo Alto firewall through the web browser Import operations import configurations from the host running the web browser to the Palo Alto If a configuration is loaded or reverted from configuration management, only a full commit is possible. A full commit writes all changes made to the running configuration Configuration OptionsAt boot time, the latest configuration on the hard disk is loaded to the candidate configuration in the control plane memory. The control plane forces an automatic commit to copy this candidate configuration into the running configuration in the control plane memory. The running configuration is then pushed to the running configuration in the data plane memory, where it used to inspect, control, and secure traffic traversing the firewall. Any administrators that make changes to the candidate configuration and follows with a commit writes the changes in control plane and data plane memory. The firewall does automatically take timestamped backups when a commit is performed. Saving a candidate configurationA candidate configuration can be saved in several ways: Navigate to Device -> Setup -> Operations Click Save named configuration snapshot to save the current candidate configuraiton to a XML filename on the disk. Multiple named configurations can be saved this way Click Save candidate configuration to save the configuration to memory. If edits are made and the save canddiate configuration is clicked again, the previous save is overwritten. Note that this saved configuration is stored in viotile memory and will be erased if the firewall is rebooted. A named configuration snapshot can be loaded to replace the existing candidate configuration. The loaded file is in the format of an XML file. Revert to last saved configuration aborts any changes to the configuration since the last save. To delete any candidate configuration and start over, click Revert to running configuration. This copies the running configuration to a fresh candidate configuration. Admin Level CommitAn admin level commit enables an administrator to only commit their changes to the running configuration, and not any other administrators active changes. If Commit All Changes is selected, this commits all changes made by all administrators. This can only be selected if the administrator has the correct privileges. A middle ground is also available, that a group of administrators changes can be commited, leaving other administrators changes alone. Administrator Level Save and RevertPer-admin changes can be saved without needing to commit, the icons are available on the ‘Config’ drop down on the top right section of the page. The Save Changes icon allows an admit to save current changes and continue later without needing to commit a partially completed configuration change. The saved changes made by any administrator are written to the same default XML file, but each change is tagged with information about the administrator that made that change. The Revert Changes icon removes the most recent changes since the last saved candidate configuration. There is a choice between reverting to the last saved configuration made by the administrator logged in, or the last saved configuration made by other administrators Preview and Validate ChangesThe preview changes button compares the candidate and running configurations. Preview changes will open a window that displays a side by side comparison of the running and candidate configurations before a commit is made. Differences are coloured coded to indicate where configuration has been added, changed, or deleted. The change summary lists the individual settings where changes are being commited It will list object names, whether its shared, or for a specific virtual system, and whether it has been edited, created, or deleted. The validate commit button will show any errors that may appear during a commit The validation is performed with a syntactic and semantic validation of the firewall configuration before being commited. The semantic validation determines whether the configuration is valid and complete. This would reduce the number of failures at a commit time. The results will show any warnings or errors that would of been displayed on a full commit. Warnings don’t prevent a commit though. The preview and validate commit buttons will display all changes by all administrators, or just changes made by select administrators. Transaction LocksDevice -> Setup -> Management -> General Settings A lock can be taken to block other administartors:
Locks can be removed by the administrator who created them, or by an administrator with superuser rights. A lock can be configured to be automatically taken when an administrator logs in. Commit and configuration locks are released automatically when an administrator commits their configuration. Licencing and Software UpdatesThe process of activating the firewall is: Register the firewall with Palo Alto Networks
Active a support licence
Active the licences for each subscription that was purchased in Device -> Licences (Once support is activated) The activation of the WildFire licence requires a commit Before any licences can be retrieved, the firewall itself needs to go through an initial configuration of an IP address information, and a DNS server address to reach the internet. Dynamic UpdatesUpdates include new anti-virus and anti-spyware definitions, new malicious domains and malicious URLs along with new application signatures. It is essential to download theses updates to the firewall to maintain the most current protection offered. A threat protection licence is required to download Applications and Threats updates Updates can be downloaded directly from the Palo Alto update server via two paths. One is downloading the updates to another system such as a user desktop or Panaorama mangement device, and then uploading to the firewall. Two is navigating to the Device -> Dynamic Updates section of the firewall and clicking Install to Install the update. The following release schedules are available for updates: Antivirus is daily Applications and Threats: weekly updates, with new applications coming monthly WildFire: Around every 5 minutes The firewall can be configured to check for updates as frequently as required. As often as every hour for anti-virus, applications and threats as often as every 30 minutes and wildfire updates can be checked once per minute PAN-OS UpdatesTo maintain the most current protection, the firewall requires to be updated to the latest PAN-OS software. When an upgrade is performed, it is important to download the next x.0 base release, before downloading to the next minor release. When installing the minor release the base release is automatically installed Like dynamic updates, there are two methods of updating the firewall, via uploading a file or using the Check Now hyperlink The MGMT port is used to fetch these updates, but can be configured to use a seperate in-band port The firewall must be running the most recent version of Applications and Threats database. The software upgrade process fails if it does not have a current update. Administrator Account and Role RespositoriesThe firewall can authenticate locally or remotely defined administartors: A local account and password, or a remote account and password. PAN-OS software supports remote authentication using Active Directory, Kerberos, LDAP, RADIUS and TACACS+ Roles for each administrator can be defined locally, or remote too using Custom Roles or Dynamic Roles Remote role assignments are supported via RADIUS or TACACS+ using VSAs, Vendor Specific Attributes All administrators changes, whether local or remtoe, are logged in the firwalls Configuration and System logs. Time logged in is logged, and any configuration changes that are made Firewall Authentication of non-local usersBefore an external authentication service can be used, an authentication profile requires to be created on the firewall. The authentication profile contains information to authenticate an administrator account against an external authentication service once one of the services servers can be reached. An authentication sequence is a method where a firewall can contact multiple services to authenticate an account. A specified list of authentication profiles can be created by adding them to the optional authentication sequence on a firewall. If created, specify the sequence instead of the profile on the user account on the firewall An authentication profile uses a server profile, which is used to locate the external authentication services servers. A server profile can be configured a list of external authentication servers Step one: Authenticate non-local password Step two: Read optional authentication sequence Step three: Go to first/next Authentication profile Step Four: Has a server profile been found? If No: Login has failed, check if they’re is another authentication profile and go to Step three If Yes: Was an account found? If No: If there is anoither authentication profile, go to step three If Yes: Check the password authentication Server ProfilesDevices -> Server Profiles Server profiles define connections that the firewall can make to external servers for the purposes of authentication. These types of external servers could be Kerberos, LDAP, RADIUS, SAML, or TACACS+ servers Server profiles are required to validate login information for accounts that were not locally created on the firewall Authentication ProfilesDevices -> Authentication Profiles The authentication profile specifies what server profile and settings are used to authenticate the administrator account. An authentication profile is specified when an administrator account is created where the name and password are maintained on an external service Authentication SequenceAn optional configuration if multiple external services have been defined. The list is created with a list of Authentication Profiles that are in order of most preferred to least preferred, that should be checked to authenticate an administrator account. Each one in the list is checked until one profile succesfully authenticates the user. If a local database is preseent in the list, the firewall checks that one first regardless of where in the order it comes Authentication only fails once all profiles fail the query of the login information How to export backup of managed device configuration files from Panorama?Go to Panorama > Setup > Operations and click "Export Panorama and devices config bundle". Save the compressed file to local disk and decompress to access all the current device configuration files. Note: The downloaded filenames appear in different areas depending on the web browser brand and version.
What is the difference between a candidate configuration and a running configuration?The running configuration is the actual configuration controlling the operation of the firewall. It is maintained in a file on the firewall named running-config. xml. Candidate configuration is the copy of running configuration.
What is the advantage of using application tags?What is an advantage for using application tags? A. They are helpful during the creation of new zones.
|