Palo Alto – Initial Setup

Intro

Today we will go through the initial set up for a Palo alto next-gen firewall. We will only be going through the basic configuration. This will allow your private network [RFC1918] LAN out to a WAN.

What’s a Private Network?

Based on the RFC 1918 we have private networks that are both Ipv4 and Ipv6 and are only allowed in our LAN. Which can be used for your house, office or enterprise environment. LAN was created to delay the Ipv4 address exhaustion.

Ok enough of that... let’s get into it.

Before Initial Setup

Before we can access the WebGUI lets setup our machine to be able to connect to the device.

Local Computer:

1.       Change your IP address to 192.168.1.2

a.      

2.       Connect your machine to the MGT port on the Palo Alto Firewall.

3.       From a web browser, go to https://192.168.1.1

4.       Enter the Default Username and Password

a.       Username: admin

b.       Password: admin

c.      

Once you’re in, you will see your dashboard. Let’s Move into our Palo Alto WebGUI Initial Configuration.

Initial Setup

Layout Description:

Tabs:

We will be working with the following Tabs:

1.       Policies

2.       Network

3.       Device

Columns:

We will be working with the following Columns:

1.       Interfaces

2.       Zones

3.       VLANs

4.       Virtual Router

5.       DHCP

6.       Interface Mgmt

WebGUI Configuration:

Network Tab Configuration Part 1:

First, we want to configure our Untagged VLAN Interface. This will help with the Ethernet Interface go must faster.

Go to:

Column: Interface > VLAN Tab

·         We will be using the default untagged VLAN.

Under the Config tab:

§  VLAN: <NAME> e.g. OfficeVLAN, GuestVLAN

§  Virtual Router: Default

§  Zone: Trust

               

Under the IPv4 Tab:

Enter your LAN IP, I have entered 192.168.0.1/24 as an example. Make Sure you have the static radio button selected.

  

Network Tab Configuration Part 2:

Now we can move to the Ethernet Configuration, you will notice that we have a virtual wire already configured. Let’s remove that and set our settings.

Go To:

1.       Network > Interface > Ethernet Tab

2.       Select Both:

a.       Ethernet 1/1

                                                               i.      Will be our ISP interface

                                                             ii.      Remove: Virtual-Wire

                                                           iii.      Add:  Layer 3

b.       Ethernet 1/2

                                                               i.      Will be our LAN interface

                                                             ii.      Remove: Virtual-Wire

                                                           iii.      Add:  Layer 2

Click on Ethernet1/1:

·         Add the default values as shown below

Click on Ethernet1/2:

·         Add the default values as shown below

We will leave the default settings under the Config Tab. Make sure to place the Security Zone: under a Layer 2 for Ethernet ½.

DHCP Column:

            Lease Tab:

                I have added an IP pool in the range of:

                192.168.0.20 – 192.168.0.250

                This will be the pool that will be handed out to clients.

                You want to leave a couple of free IP addresses to apply static assignments.

Option Tab:

Add your Gateway IP address for your LAN. In this example, 😊

I have added 1.1.1.1 as the Primary DNS for added security.

You can remove googles 8.8.8.8 if you like and just have Cloudflare’s DNS.

Now go back to your VLAN tab and verify that you have the DHCP feature enabled:

After you have your VLAN created with DHCP.

Assign the VLAN to the interfaces that will require access to your trusted network.

Zone Column After configuration:

NAT Rule:

You will need a NAT [PAT] to allow the internal network out to the WAN.

Security Rule:

Finally, create a security rule that will allow all traffic to test your new configuration.