Palo Alto Networks Quick Start Guide

Published 2021-12-14

Activate the Device from the portal

  1. Find the devices serial number from the order confirmation email
  2. Login or sign up for the support portal at support.paloaltonetworks.com
  3. In the left pane, navigate to Assets -> Devices, then click on the blue Register New Device button in the top left
  4. Choose Register device using Serial Number, then click Next
  5. Enter the serial number, a name for the device and the device location
  6. Click Agree and Submit
  7. (Optional) Configure any Day 1 config
  8. In the device list, click on the pencil icon, then select Activate Auth-Code and enter the auth code for the license
    • Repeat for all licenses

Initial Configuration with the GUI

About the Management Interface

Each Palo Alto firewall has a dedicated ethernet interface labelled “MGT” for out-of-band management of the appliance. For automatic content updates the device will need internet connectivity from this management interface. By default, the management interface is used for HTTPS administration, SSH, and other admin services.

Connecting with a Laptop

All devices ship from the factory with 192.168.1.1/24 as the default management IP. Configure the ethernet adapter on a laptop with an address of 192.168.1.2/24 and connect the laptop to the firewalls management interface. Next, navigate to https://192.168.1.1 in your browser and login with username admin and password admin. You will be prompted to change this default password on your first login.

Changing the Management IP settings

Go to Device -> Setup -> Management and configure with settings appropriate for your network. Then go to Device -> Setup -> Services and enter your DNS & NTP settings.

Whenever you edit settings via the GUI or CLI you are changing the candidate configuration. To put these new settings into practice, click Commit in the upper-right-hand corner, then click Commit again in the commit preview window.

After the commit finishes the device will now be available on the new IP you configured.

Initial Configuration with the CLI

Serial Settings

Connect to the serial port labeled Console with a standard RJ45 serial adapter. The serial settings are the standard 9600/8-N-1 (that’s 9600 bits/s, 8 data bits, no parity bit, 1 stop bit).

Normal vs. Configure Mode

Now we need to switch to configure mode to change settings. Do this with the configure command from normal mode. You can tell which mode you are in by looking at the CLI prompt indicator. If the indicator is a greater-than sign >, then you are in normal mode. If the indicator is a hash #, then you are in configure mode.

Changing the Management IP settings

We can change the management IP settings using a single command:

# set deviceconfig system ip-address x.x.x.x netmask x.x.x.x default-gateway x.x.x.x dns-setting servers primary x.x.x.x

Lastly, commit the changes:

# commit

Type exit to switch back to the normal mode:

# exit

Verify your changes by running this command:

> show system info

Pull Down Licenses

Visit Device -> Licenses and under License Management click Retrieve license keys from license server to pull down all the licenses that we activated on the support portal earlier.

Make sure that all the licenses you activated show up on the device itself. If you don’t have a valid support license on the device you won’t be able to download content or software updates from the device.

Upgrade PAN-OS

Before you start using the device in production, we recommend that you upgrade to the latested preferred PAN-OS release.

Configure Dynamic Update Schedules

On Device -> Dynamic Updates you can configure schedules for the various content updates that power the firewalls various security engines. Here’s our recommended intervals to download and install for each content type:

  • Antivirus: hourly
  • Applications and Threats: hourly
  • WildFire: real-time (or the shortest available interval)

Configure the Device

From here you are ready to configure the interfaces, routing, security policies, NAT policies, security profiles, log forwarding, reporting and more.

For configuration assistance, feel free to reach out to us.