I recently added to my lab network is a Palo Alto Networks PA-820 next-generation firewall (NGFW). Over at Packet6, I’ve been getting into the PAN NGFWs for a while now and we are reselling Palo Alto Networks.
In this post, I’ll be going over a simple configuration to set up the PA-820 for the first time. The goal is to set up a LAN, WAN (using DHCP), and NAT to get internet access.
This process would be very similar for other models as well.
Keep in mind the version running on my firewall is v9.1.4.
Register your firewall
You’ll need to create an account on the Palo Alto Networks Customer Support Portal.
To register your firewall, you’ll need the serial number.
Sign into the portal.
Click on Register a Device
Select the radio for Register a device using Serial Number then click Next
Under Device Registration, you’ll need to fill out all the required information. This includes the serial number of the firewall and the location of where this firewall will be deployed. That last part is important for RMA’s. Then at the bottom you’ll need to agree with the Eula.
There’s an option to create a Day 1 configuration but I’m going to skip that for now.
When finished, your NGFW will be registered.
Access the NGFW
Plug into the MGMT interface of the firewall.
The MGMT interface is configured to 192.168.1.1.
Set your NIC to 192.168.1.2 with a mask of 255.255.255.0. You will not receive DHCP leases from the MGMT interface.
Next, you’ll open a web browser to https://192.168.1.1. You should be presented with the login screen of the NGFW.
Default username and password
The default username is: admin
The default password is: admin
After logging in, you’ll be prompted to change the password for the admin account, which is a super user. The new password must be 8 characters in length and must contain an upper case, lower case, number or special character.
After changing the password, you may be kicked out to the login screen. Log back in with the new password.
You’ll be presented with a Welcome pop up. You can close it and view it again later. You’re now in the NGFW and ready to configure the rest of it!
Configure Device Settings
Next, we’ll configure some basic device settings. Nothing crazy.
Click on the Device tab. On the left navigation, click on Setup. Then in the middle pane, you should be in the Management tab. There is a General Settings section. Click on the Gear icon.
Let’s add a hostname, login banner, and set the time zone.
Here’s the login banner I used.
Packet6 LEGAL NOTICE This is a private system which may be accessed and used for authorized business purposes only. THERE IS NO RIGHT OF PRIVACY FOR ANY PERSON ACCESSING OR USING THIS SYSTEM. Access or use of this information system constitutes consent to these terms.
Create a new super user
It’s only best practice to set up a new user account so you’re not using the default admin account.
Let’s create a new one. We can harden accounts later. This is just basic admin account creation.
On the left navigation click on Administrators then at the bottom click Add.
In the new pop up, type in the name of the account. We won’t set the Authentication Profile just yet so leave it at none. Create a password and select Dynamic for the Administrator Type. From the dropdown, select Super User.
There are two Administrator types:
- Role Based
The latter would be a more secure way to define administrators. The Dynamic type uses the built-in roles:
- Superuser (read only)
- Virtual System Administrator
- Virtual System Administrator (read only)
- Device administrator
- Device administrator (read only)
Commit your changes
We’re now in a good spot to save our changes to the running configuration by commiting.
By using Commit, we take the Candidate configuration and apply it to the Running configuration.
The Commit button is at the top right.
You’ll be presented with a commit pop up where you can preview your changes and add a commit comment.
Before clicking on Commit, click on Preview Changes to see what is included in this Commit Scope.
It’s good practice to review the changes being applied so you don’t create an issue.
Click on Change Summary to get a different view of the changes. I like this view much better. There’s more detail such as the object that is being changed, the location, and the user account that created the change.
Additionally, we can Validate the changes for any errors.
Why don’t we add a commit comment for good practice and click Commit. It will take a moment ☕️
If the Result is Successful then good job! 👍
Before we can have full network connectivity, we need to configure our interfaces.
Let’s create our first network. We will need an interface for our WAN and LAN. I’m going to configure the WAN on interface ethernet1/1 and the LAN on interface ethernet1/2.
Click on the Network tab and on the left navigation click on Interfaces.
By default, I have the two interfaces I want to configure set to an interface type of Virtual Wire (I won’t go over the interface types in this post). We will change this.
Configure the WAN interface
Click on ethernet1/1.
Give the interface a comment.
Click on the dropdown for Interface Type and change it to Layer3.
Under the Config tab, set the virtual router to default. I’ll cover virtual routers in another post.
Click on the IPv4 tab.
My WAN is DHCP only so I’m going to change the type to DHCP Client.
Then click on OK.
Click on Zones on the left navigation
By default, there will be two zones: trust and untrust.
Zones are for grouping physical and virtual interfaces.
Click on untrust.
Change the type to Layer 3.
Click on Add to include interface ethernet1/1.
Then click OK.
We are placing ethernet1/1 in the untrust zone because this is where I’m connecting my ISP. We do not trust the Internet, hence, untrust zone.
Go back to the Interfaces config section.
Click on interface ethernet1/2.
Add a comment for the interface.
Set the Interface Type to Layer3.
Change the Virtual Router to default. (We’ll get to the Security Zone soon.)
Click on the IPv4 tab.
We’re going to begin creating our LAN by configuring the gateway for the LAN to reside on interface ethernet1/2.
Leave the type to Static.
Under the IP section, click Add.
You’ll have the option to add the IP for your new network, I will type in 10.1.1.1/24.
Then click OK.
Go back to Zones.
Click on the trust zone.
Change the Type to Layer3.
Add interface ethernet1/2 to the Interfaces list and then click OK.
Our LAN needs a DHCP scope. We’re not animals, configuring only static IPs for our LAN, are we?
Under the Network tab, click on DHCP from the left navigation.
In the DHCP Server tab, click on Add and we’ll create a scope for our new network under 10.1.1.0/24. You can change that to whatever network you’ve selected as long as the static IP we created earlier is in the same subnet.
Select the LAN interface ethernet1/2 that we configured in the Interface dropdown.
Under the Lease tab, I like to select “Ping IP when allocating new IP” and setting a Lease Timeout.
Under IP Pools, click Add and create a scope like I have done.
Then click on the Options tab.
We need to set the Gateway, subnet mask, and DNS servers.
Then click OK.
Delete the default-vwire, as we’re not going to use it.
Default-wire is used with virtual-wire. You can read up on it on Palo Alto Networks’ website.
Let’s commit our changes from the candidate config to the running config.
Then, we test the LAN interface.
I plug in my laptop into ethernet1/2 and see if I get a DHCP lease.
Sweet, I get an IP address within the DHCP scope we configured. I see I have a gateway assigned and DNS servers. Can I ping the gateway, 10.1.1.1?
% ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 Request timeout for icmp_seq 3 ^C --- 10.1.1.1 ping statistics --- 5 packets transmitted, 0 packets received, 100.0% packet loss
If you want to allow ping replies then we’ll need to configure a Management Profile for the interface.
I’m going to plug back into the MGMT interface, where HTTPS and SSH is allowed.
Click on the Network Tab and on the left navigation click on Interface Mgmt under Network Profiles.
Just for simplicity and educational purposes, I’m going to create an interface management profile to allow HTTPS, SSH, and Ping on ethernet1/2.
Click on Add.
Create a name for this Interface Management Profile.
Enable HTTPS and SSH under the Administrative Management Services section.
Enable Ping under the Network Services section.
You can be more restrictive by allowing access to these services from specific IP addresses.
Click on the Interfaces sub menu item.
Click on ethernet1/2 (or your interface configured for the LAN).
Click on the Advanced tab.
Under the Other Info tab, click on the drop down for Management Profile and select the newly created Interface Management Profile.
You’ll be presented with a warning. Understand how this Interface Management Profile affects your network.
Continue by clicking on Yes.
Now, commit your changes.
Let’s test the LAN by plugging your laptop into ethernet1/2. Don’t forget to re-enable DHCP on your laptop interface and ping the gateway.
% ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.989 ms 64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.915 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=1.180 ms ^C --- 10.1.1.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.915/1.028/1.180/0.112 ms
What about HTTPS? From the screenshot below you can see that it works. It even has our login banner. That will really scare away the bad guys 😉 And I can successfully log in with my newly created super user account.
You can even see the DHCP lease in the System Logs.
Plug in your WAN connection.
If I refresh my system logs we can see that my ISP’s modem provided a DHCP lease. It’s simple to setup the Palo Alto Networks NGFW WAN interface as a DHCP client.
Can we ping the internet? Nope!
% ping 188.8.131.52 PING 184.108.40.206 (220.127.116.11): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 ^C --- 18.104.22.168 ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss
We need to configure NAT!
Click on the Policies tab and then NAT on the left navigation.
Click Add to create a new NAT policy.
In the new NAT Policy Rule window, create a Name, description, and Audit comment.
Then click on Original Packet tab.
For the source zone, add the trust zone. This is where ethernet1/2’s zone.
Under Destination Zone, select untrust from the drop down menu. That is the configured zone for our WAN interface, ethernet1/1.
For Destination Interface, you can leave it as any but I will select ethernet1/1 here.
Click on the Translated Packet tab.
Configure the Translation Type to Dynamic IP and Port.
Address Type to Interface Address.
Interface to our WAN interface.
IP address to None (because we’re using DHCP).
Here’s what the NAT policy looks like.
Now test ping and web browsing.
% ping 22.214.171.124 PING 126.96.36.199 (188.8.131.52): 56 data bytes 64 bytes from 184.108.40.206: icmp_seq=0 ttl=55 time=30.468 ms 64 bytes from 220.127.116.11: icmp_seq=1 ttl=55 time=28.170 ms 64 bytes from 18.104.22.168: icmp_seq=2 ttl=55 time=27.824 ms ^C --- 22.214.171.124 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 27.824/28.821/30.468/1.173 ms
DNS is good too.
% ping google.com PING google.com (126.96.36.199): 56 data bytes 64 bytes from 188.8.131.52: icmp_seq=0 ttl=114 time=27.169 ms 64 bytes from 184.108.40.206: icmp_seq=1 ttl=114 time=26.697 ms 64 bytes from 220.127.116.11: icmp_seq=2 ttl=114 time=28.073 ms
It’s important to note that there is a default ACL included, rule1. It allows traffic from the trust zone to the untrust zone.
You can see the Hit Count for the traffic.
You need to specify what’s allowed through the firewall, and rule1 is allowing any traffic originating from the trust zone out to the internet (untrust zone). With rule1 disabled, our traffic will not get to the Internet.
Our NAT policy has increasing hit count as well.
This is the basic configuration of a Palo Alto Networks firewall where we configured our super user account, basic system configuration, interfaces, and NAT.
Our configuration will work for basic lab and internet use. There are advanced configurations to secure this firewall and the network which I will address in the future.
To see more tutorials like this, sign up for my email list. I’ll be going through more configurations of my PA-820 lab unit.
Dan Nolan says
Great article! Your section on NAT really helped me out!
Dan, I’m glad it helped out! My goal is always to be a resource for others.
Finally, a guide that makes the firewall just work. Great article, so glad I found it.
Outstanding guide. Really helpful.
Do you happen to have one for configuring a new firewall using Panorama?
I don’t have one yet but I’ll consider it. I only have one Panorama instance but it has client information on there. I’ll consider staging up a test Panorama instance.