Chapter 1. Basics

1.1 GNS3 and Palo Alto

Learning Objectives

  • Configure a static IP for the management port on the firewall
  • Change general settings of the firewall using the web interface

Scenario: In this lab, we’re only going to start with the basics. Connecting to and configuring basic settings on Palo Alto. There will be a little console usage, but don’t fret. The rest of these will involve some sort of GUI based option

Main Scenario
Figure 1.1: Main Scenario
Table 1.1: Addressing Table
Device Configuration
PaloAlto-1 Management: 192.168.0.1/24
WebTerm1-Management eth0: 192.168.0.2/24

Console into the Palo Alto Device

Make sure to start all your devices, then double click the Palo Alto device. You should see a console window pop up. We need to wait till the prompt changes to “PA-VM”. Otherwise, we cannot login.

No Login
Figure 1.2: No Login

After about 15 mins, hit enter, and the prompt should change. Login with the following credentials:
Username: admin
Password: admin

It will prompt you to change your password. Once you’re finished changing your password, you will see the prompt change to this:

Firewall General mode
Figure 1.3: Firewall General mode

Configure a Static IP on the Palo Alto Device

I promise you that this is one of the only times we will be interfacing with the command line. But this is necessary for setting up a static IP. Type these commands into the now open console:

1) configure
2) set deviceconfig system type static 
3) set deviceconfig system ip-address 192.168.0.1 netmask 255.255.255.0 
4) commit

Line 1: Gets you into configuration mode.

Line 2: Configuration mode command to set the management interface to a static address.

Line 3: Sets IP of the management interface.

Line 4: Every time you make any change in Palo Alto, you must commit the changes for it to take effect.

It should look like this if all commands were successful:

Set a static IP address
Figure 1.4: Set a static IP address

Access the Web Interface from Webterm

Double click on the webterm device. A Firefox window should immediately pop up:

WebTerm Firefox browser
Figure 1.5: WebTerm Firefox browser

On the top address bar, type in “https://192.168.0.1” (without quotes) then hit enter.

After typing that in, you should see a block page:

Type IP address of Palo Alto
Figure 1.6: Type IP address of Palo Alto

To get past this, click advanced, then click “Accept the Risk”.

Past of security warning
Figure 1.7: Past of security warning

Now that we’re past the scary-looking warning screen, type in the credentials to the user: admin. The password should be the password you set after initially logging in through the command line.

Enter credentials
Figure 1.8: Enter credentials

Now, we’re in the web interface for the Palo Alto device!

First page of Palo Alto
Figure 1.9: First page of Palo Alto

Explore the Web Interface

Let’s focus on what we’ll actually be used as these labs progress.

Device Settings
Figure 1.10: Device Settings

In device settings, we can change the hostname, create users, generate certs, etc. The bottom line is that it is used for general system administration. We will be delving more into this as the chapters progress.

Network Interfaces Settings
Figure 1.11: Network Interfaces Settings

In network settings, we can change interface IP addresses, create tunnels, and setup routing.

Objects Settings
Figure 1.12: Objects Settings

We won’t be using the objects tab very much, however, it is important to know about it. Here, we can create pre-defined address objects, define ports, and create security policy templates.

Policy Settings
Figure 1.13: Policy Settings

The policies tab is arguably the most important tab of the firewall. Here we will configure security policies and define NAT rules. An important thing to note is these pre-existing security policies. Everything within a zone is allowed, whereas a zone to another zone is not allowed.

Change the Hostname of Palo Alto

Head over to the device tab, and click the cog icon to the right of device settings.

Changing hostname
Figure 1.14: Changing hostname

Change the hostname to anything but PA-VM. I will change mine to “BruhloAlto”.

After changing the hostname to anything you desire, click on OK at the bottom right of the screen.

General Settings
Figure 1.15: General Settings

After any change in Palo Alto, you will have to commit the changes. When you make changes in Palo Alto, it is put into what we call a “candidate configuration.” This means that changes do not take effect immediately. After we change some settings, we need to press the commit button on the top right.

Commit Configuration
Figure 1.16: Commit Configuration

Pressing commit will push the candidate configuration to the running configuration. This is helpful because the Palo Alto device is smart enough to tell you if a configuration won’t work without affecting your active network settings. Let’s commit these changes by clicking commit again.

Commit all changes
Figure 1.17: Commit all changes

If all is well, after a while you should see something similar to this. It means everything worked!

Configuration committed successfully
Figure 1.18: Configuration committed successfully

Verify the Changes

Refresh the page by pressing the F5 key (or clicking on the refresh button) on the webterm web browser. If the hostname changed, the tab will change to the hostname you set.

Verify configuration
Figure 1.19: Verify configuration

You can also see the changes being reflected on the console interface if you press enter.

Verify configuration in CLI
Figure 1.20: Verify configuration in CLI

License

Icon for the Creative Commons Attribution 4.0 International License

Palo Alto Firewall Copyright © 2023 by Hamid Talebi, Xavier Cawley is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.