Palo Alto Networks Quick Start GuidePublished 2021-12-14
Activate the Device from the portal
- Find the devices serial number from the order confirmation email
- Login or sign up for the support portal at support.paloaltonetworks.com
- In the left pane, navigate to
Assets -> Devices, then click on the blue
Register New Devicebutton in the top left
Register device using Serial Number, then click
- Enter the serial number, a name for the device and the device location
Agree and Submit
- (Optional) Configure any Day 1 config
- In the device list, click on the pencil icon, then select
Activate Auth-Codeand enter the auth code for the license
- Repeat for all licenses
Initial Configuration with the GUI
About the Management Interface
Each Palo Alto firewall has a dedicated ethernet interface labelled “MGT” for out-of-band management of the appliance. For automatic content updates the device will need internet connectivity from this management interface. By default, the management interface is used for HTTPS administration, SSH, and other admin services.
Connecting with a Laptop
All devices ship from the factory with
192.168.1.1/24 as the default management IP. Configure the ethernet adapter on a laptop with an address of
192.168.1.2/24 and connect the laptop to the firewalls management interface. Next, navigate to
https://192.168.1.1 in your browser and login with username
admin and password
admin. You will be prompted to change this default password on your first login.
Changing the Management IP settings
Device -> Setup -> Management and configure with settings appropriate for your network. Then go to
Device -> Setup -> Services and enter your DNS & NTP settings.
Whenever you edit settings via the GUI or CLI you are changing the candidate configuration. To put these new settings into practice, click
Commit in the upper-right-hand corner, then click
Commit again in the commit preview window.
After the commit finishes the device will now be available on the new IP you configured.
Initial Configuration with the CLI
Connect to the serial port labeled
Console with a standard RJ45 serial adapter. The serial settings are the standard 9600/8-N-1 (that’s 9600 bits/s, 8 data bits, no parity bit, 1 stop bit).
Normal vs. Configure Mode
Now we need to switch to
configure mode to change settings. Do this with the
configure command from normal mode. You can tell which mode you are in by looking at the CLI prompt indicator. If the indicator is a greater-than sign
>, then you are in normal mode. If the indicator is a hash
#, then you are in configure mode.
Changing the Management IP settings
We can change the management IP settings using a single command:
# set deviceconfig system ip-address x.x.x.x netmask x.x.x.x default-gateway x.x.x.x dns-setting servers primary x.x.x.x
Lastly, commit the changes:
Type exit to switch back to the normal mode:
Verify your changes by running this command:
> show system info
Pull Down Licenses
Device -> Licenses and under
License Management click
Retrieve license keys from license server to pull down all the licenses that we activated on the support portal earlier.
Make sure that all the licenses you activated show up on the device itself. If you don’t have a valid support license on the device you won’t be able to download content or software updates from the device.
Before you start using the device in production, we recommend that you upgrade to the latest preferred PAN-OS release.
Configure Dynamic Update Schedules
Device -> Dynamic Updates you can configure schedules for the various content updates that power the firewalls various security engines. Here’s our recommended intervals to download and install for each content type:
- Antivirus: hourly
- Applications and Threats: hourly
- WildFire: real-time (or the shortest available interval)
Configure the Device
From here you are ready to configure the interfaces, routing, security policies, NAT policies, security profiles, log forwarding, reporting and more.
For configuration assistance, feel free to reach out to us.