Categories
EDU-110 Study Palo Alto

EDU-110: Initial Configuration of Palo Alto Firewall

Objectives

Connect to the firewall and login as admin

Configure the network settings for the management interface port

Describe the difference between the running configuration and the candidate configuration

Configure dynamic firewall updates to update the applications and threats database

Create a local firewall administrative account

Access the firewall logs

Access to the firewall

The Palo Alto firewalls are built in with a dedicated out of band network management port.

This port only passes traffic for management functions of the firewall, it cannot be configured as a standard traffic interface. It can be used for direct connectivity to the management plane of the firewall.

The default IP address of the firewall is 192.168.1.1 for most physical models. The default address for virtual firewalls is set to recieve an address from a DHCP server.

Any initial configuration for a Palo Alto firewall must be performed from the dedicated mangement port, labeled MGT, or via a serial connection to the console port.

The baud rate and settings for the serial connection is 9600-8-N-1

The default username and password for the Palo Alto are:

Username: admin

Password: admin

The firewall will prompt you to change these credentials in the CLI and web interface away from the defaults.

The password for the administrator on the firewall is stored in the firewalls XML configuration file, but is encrypted using the firewalls master key.

Methods of administrative access to the firewall

There are four ways of accessing the firewalls administrative functions

Web Interface – The most common way to configure and monitor a Palo Alto firewall. The graphical web interface provides detailed administrative and reporting tools in a browser format.

SSH or Console (Command Line Interface) – The CLI allows access to the firewall to display status and configuration information. It allows modification too. The CLI can be accessed through SSH, Telnet, or the serial console.

Panorama – If multiple firewals are deployed, Panorama can be used to manage configurations, policies, software and dynamic content updates all in one place. Panorama aggregates data from all the firewalls and can display them all within the Panorama web application

REST XML API – The REST based interface allows access to operational status, reports and packet captures. Like the other methods, it allows access to configure the firewall too. The XML API can be configured to capture login events and send them to the firewall. The API is implemented using HTTP/HTTPS requests and responses. An API browser is also present on the firewall, by appending /api at the end of the firewalls URL, for example:

http://192.168.1.1/api

Reset to Factory Configuration

To reset the Palo Alto firewall back to factory configuration, if the password is known enter the CLI interface and enter the following command:

request system private-data-reset

This command will erase all logs, reset all settings, and saves a default configuration once the management IP address has changed.

If the password is not known to the firewall, reboot the firewall and whilst it is starting up, enter the command

maint

After some time, the firewall wil offer you the option to reset to factory defaults via the menu option Reset to Factory Default

Configuring the Management Interface

On the system you will access the Palo Alto, change it’s IP address to one in the 192.168.1.0/24 subnet (anything between 192.168.1.2 – 192.168.1.254)

Once the configuration has been applied, connect to the MGT port via an ethernet cable to your device

After some seconds have passed, open a web browser and navigiate to https://192.168.1.1

A Palo Alto login prompt page should appear, log in to the firewall using the default username and password of admin / admin

Once logged into the firewall, navigate to the Device -> Setup -> Interfaces section

Click Management

A window will open up, configure the network settings for the management interface as required

Commit the configuration, and reconnect to the web interface using the new network configuration

Configuring General Settings

Under Device -> Setup -> Management -> General Settings -> [Gear Icon]

From top to bottom of this pop-up window.

Hostname – An identifiable name for the firewall that can contain up to 31 characters. These characters can contain a mix of alphanumeric, hypen and underscore characters. The default hostname is the model of the firewall.

Domain Name – By default, this is empty. Can contain up to 31 alhanumeric, hypen, or underscore characters

DHCP Checkboxes:

  • Accept DHCP server provided Hostname
  • Accept DHCP server provided Domain

Login Banner, configures a pop-up message to present when logging into the Palo Alto firewall

SSL/TLS Service Profile: When SSL/TLS is in use, the firewall requires a digital certificate that wil be trusted by the clients

Long/Lang: Configure these settings to put the firewall on the map under the ACC tab

Configure DNS and NTP servers

Go to: Device -> Setup -> Services -> [Gear Icon]

DNS server configuration is required in order for the Palo Alto firewall to reach update servers

The NTP configuration is optional, but it’s recommended. It makes it easier for a human to read through the logs!

Note, if the management interface has been configured by DHCP. These values can be assigned to the firewall automatically via DHCP

The Services window also allows the domain name of the update server to be configured, to grab the latest sofrware and any updates to the threat database.

Clicking the checkbox to validate the update servers identity adds a level security between the firewall and the update server.

Service Routes

To access external services, the management port is used by default.

These external services would be:

  • Update services
  • DNS services
  • NTP services
  • Licence Retrieval
  • Panorama
  • Other external services

If the managment port is does not wish to be used for these services, an alternative port or logical interface can be configured to be used instead.

This will be configured under the panel in:

Device -> Setup -> Services -> Service Route Configuration

Configuration Types

The firewall has two types of main configuration, the running configuration and the candidate configuration.

The running configuration is the actual configuration running on the Palo Alto firewall. It’s maintained in a file on the firewall called running-config.xml

The running configuration is copied to the candidate configuration file during startup. Any edits made before a commit are made to the candidate configuration.

Once a commit has been made, the candidate configuration overwrites the running configuration.

The firewall saves the previous running configuration and labels these by a date and timestamp.

The web interface contains a set of operations that can be used to manage the running and candidate configurations.

Global Configuration Management

The Configuration Management section, in Device -> Setup -> Operations contains options for global configuration management (For all administrators changes, rather than one admin)

Revert, Save, and Load manage local configurations on the firewall

Export operations transfer configurations as XML formatted files to accessing host accessing the Palo Alto firewall through the web browser

Import operations import configurations from the host running the web browser to the Palo Alto

If a configuration is loaded or reverted from configuration management, only a full commit is possible. A full commit writes all changes made to the running configuration

Configuration Options

At boot time, the latest configuration on the hard disk is loaded to the candidate configuration in the control plane memory.

The control plane forces an automatic commit to copy this candidate configuration into the running configuration in the control plane memory.

The running configuration is then pushed to the running configuration in the data plane memory, where it used to inspect, control, and secure traffic traversing the firewall.

Any administrators that make changes to the candidate configuration and follows with a commit writes the changes in control plane and data plane memory. The firewall does automatically take timestamped backups when a commit is performed.

Saving a candidate configuration

A candidate configuration can be saved in several ways:

Navigate to Device -> Setup -> Operations

Click Save named configuration snapshot to save the current candidate configuraiton to a XML filename on the disk. Multiple named configurations can be saved this way

Click Save candidate configuration to save the configuration to memory. If edits are made and the save canddiate configuration is clicked again, the previous save is overwritten. Note that this saved configuration is stored in viotile memory and will be erased if the firewall is rebooted.

A named configuration snapshot can be loaded to replace the existing candidate configuration. The loaded file is in the format of an XML file.

Revert to last saved configuration aborts any changes to the configuration since the last save.

To delete any candidate configuration and start over, click Revert to running configuration. This copies the running configuration to a fresh candidate configuration.

Admin Level Commit

An admin level commit enables an administrator to only commit their changes to the running configuration, and not any other administrators active changes.

If Commit All Changes is selected, this commits all changes made by all administrators. This can only be selected if the administrator has the correct privileges.

A middle ground is also available, that a group of administrators changes can be commited, leaving other administrators changes alone.

Administrator Level Save and Revert

Per-admin changes can be saved without needing to commit, the icons are available on the ‘Config’ drop down on the top right section of the page.

The Save Changes icon allows an admit to save current changes and continue later without needing to commit a partially completed configuration change.

The saved changes made by any administrator are written to the same default XML file, but each change is tagged with information about the administrator that made that change.

The Revert Changes icon removes the most recent changes since the last saved candidate configuration.

There is a choice between reverting to the last saved configuration made by the administrator logged in, or the last saved configuration made by other administrators

Preview and Validate Changes

The preview changes button compares the candidate and running configurations.

Preview changes will open a window that displays a side by side comparison of the running and candidate configurations before a commit is made. Differences are coloured coded to indicate where configuration has been added, changed, or deleted.

The change summary lists the individual settings where changes are being commited

It will list object names, whether its shared, or for a specific virtual system, and whether it has been edited, created, or deleted.

The validate commit button will show any errors that may appear during a commit

The validation is performed with a syntactic and semantic validation of the firewall configuration before being commited.

The semantic validation determines whether the configuration is valid and complete. This would reduce the number of failures at a commit time.

The results will show any warnings or errors that would of been displayed on a full commit. Warnings don’t prevent a commit though.

The preview and validate commit buttons will display all changes by all administrators, or just changes made by select administrators.

Transaction Locks

Device -> Setup -> Management -> General Settings

A lock can be taken to block other administartors:

  • Commiting a candidate configuraton
  • Making changes to the candidate configuration

Locks can be removed by the administrator who created them, or by an administrator with superuser rights.

A lock can be configured to be automatically taken when an administrator logs in.

Commit and configuration locks are released automatically when an administrator commits their configuration.

Licencing and Software Updates

The process of activating the firewall is:

Register the firewall with Palo Alto Networks

  • Click Assets on the Customer Support Portal
  • Enter the serial number
  • Click Register Device
  • (For VM Firewalls) Register an e-mailed auth code to the Support account on the Customer Support Portal
    • Existing support accounts access the VM-Series Authentication Code link on the Support Portal
    • If no support account exists, use the capacity auth-code to register and create an account

Active a support licence

  • Before subscriptions can be added, the support licence must be activated. Click Device -> Support and Active Support using an authorisation code

Active the licences for each subscription that was purchased in Device -> Licences (Once support is activated)

The activation of the WildFire licence requires a commit

Before any licences can be retrieved, the firewall itself needs to go through an initial configuration of an IP address information, and a DNS server address to reach the internet.

Dynamic Updates

Updates include new anti-virus and anti-spyware definitions, new malicious domains and malicious URLs along with new application signatures. It is essential to download theses updates to the firewall to maintain the most current protection offered. A threat protection licence is required to download Applications and Threats updates

Updates can be downloaded directly from the Palo Alto update server via two paths.

One is downloading the updates to another system such as a user desktop or Panaorama mangement device, and then uploading to the firewall.

Two is navigating to the Device -> Dynamic Updates section of the firewall and clicking Install to Install the update.

The following release schedules are available for updates:

Antivirus is daily

Applications and Threats: weekly updates, with new applications coming monthly

WildFire: Around every 5 minutes

The firewall can be configured to check for updates as frequently as required. As often as every hour for anti-virus, applications and threats as often as every 30 minutes and wildfire updates can be checked once per minute

PAN-OS Updates

To maintain the most current protection, the firewall requires to be updated to the latest PAN-OS software.

When an upgrade is performed, it is important to download the next x.0 base release, before downloading to the next minor release. When installing the minor release the base release is automatically installed

Like dynamic updates, there are two methods of updating the firewall, via uploading a file or using the Check Now hyperlink

The MGMT port is used to fetch these updates, but can be configured to use a seperate in-band port

The firewall must be running the most recent version of Applications and Threats database. The software upgrade process fails if it does not have a current update.

Administrator Account and Role Respositories

The firewall can authenticate locally or remotely defined administartors: A local account and password, or a remote account and password.

PAN-OS software supports remote authentication using Active Directory, Kerberos, LDAP, RADIUS and TACACS+

Roles for each administrator can be defined locally, or remote too using Custom Roles or Dynamic Roles

Remote role assignments are supported via RADIUS or TACACS+ using VSAs, Vendor Specific Attributes

All administrators changes, whether local or remtoe, are logged in the firwalls Configuration and System logs. Time logged in is logged, and any configuration changes that are made

Firewall Authentication of non-local users

Before an external authentication service can be used, an authentication profile requires to be created on the firewall. The authentication profile contains information to authenticate an administrator account against an external authentication service once one of the services servers can be reached.

An authentication sequence is a method where a firewall can contact multiple services to authenticate an account. A specified list of authentication profiles can be created by adding them to the optional authentication sequence on a firewall.

If created, specify the sequence instead of the profile on the user account on the firewall

An authentication profile uses a server profile, which is used to locate the external authentication services servers. A server profile can be configured a list of external authentication servers

Step one:

Authenticate non-local password

Step two:

Read optional authentication sequence

Step three:

Go to first/next Authentication profile

Step Four:

Has a server profile been found?

If No:

Login has failed, check if they’re is another authentication profile and go to Step three

If Yes:

Was an account found?

If No:

If there is anoither authentication profile, go to step three

If Yes:

Check the password authentication

Server Profiles

Devices -> Server Profiles

Server profiles define connections that the firewall can make to external servers for the purposes of authentication.

These types of external servers could be Kerberos, LDAP, RADIUS, SAML, or TACACS+ servers

Server profiles are required to validate login information for accounts that were not locally created on the firewall

Authentication Profiles

Devices -> Authentication Profiles

The authentication profile specifies what server profile and settings are used to authenticate the administrator account. An authentication profile is specified when an administrator account is created where the name and password are maintained on an external service

Authentication Sequence

An optional configuration if multiple external services have been defined.

The list is created with a list of Authentication Profiles that are in order of most preferred to least preferred, that should be checked to authenticate an administrator account.

Each one in the list is checked until one profile succesfully authenticates the user.

If a local database is preseent in the list, the firewall checks that one first regardless of where in the order it comes

Authentication only fails once all profiles fail the query of the login information

Leave a Reply

Your email address will not be published. Required fields are marked *