Palo Alto Networks Quick Start

These steps will get you started if you have some shiny new Palo Alto Networks gear to install.

     
  • Sign up at support.paloaltonetworks.com and register your serial number you received in the order confirmation email from Palo Alto. You can also get it from the Dashboard on the device if you run through the steps below first.
  •  
  • Enter your authorization codes to activate subscriptions on the website or from the device at Device->Licenses

Each Palo Alto firewall has a dedicated gigabit ethernet interface labelled “MGT”. This is for out-of-band management of the appliance. It needs access to the internet if you want to automate updates. It will need an IP that you can reach from a browser for HTTPS management, as well as SSH, SNMP, syslog, etc. It ships with the default address 192.168.1.1 with a 255.255.255.0 net mask and 192.168.1.2 is the default gateway. After configuring your workstation NIC with the 192.168.1.1 address, you can directly connect with an ethernet cable and hit the default management IP with your standards-compliant browser.

The default username is admin. The default password is admin. Use HTTPS

Next visit Device->Setup->Management and configure with settings appropriate for your network. Visit Device->Setup->Services and enter your DNS settings. Click Commit. You have to commit the changes to enable them in production. Until then, you are editing and changing the candidate configuration. After you commit changes, they become part of running-config.xml. You’ll then need to visit the new IP with your browser to continue managing the device.

Configure the management interface using the CLI

Using the command line can be much faster. Connect to the console using a common 9600,8,none,1 config on your favorite terminal emulator.

Once logged in, switch to configure mode:

PA-3020# configure

Next, run this command:

set deviceconfig system ip-address x.x.x.x netmask x.x.x.x default-gateway x.x.x.x dns-setting servers primary x.x.x.x

Lastly, commit the changes

PA-3020# commit

Type exit to switch back to the normal mode

PA-3020# exit

Verify your changes by running this command:

PA-3020 show system info

You could actually run these set commands separately like so:

PA-3020# set deviceconfig system ip-address x.x.x.x PA-3020# set deviceconfig system netmask x.x.x.x

Now you can log in to the web interface.

     
  • Visit Device->Licenses and pull down your license.
  •  
  • Visit Device->Software and install the software that your integrator or SE recommends.
  •  
  • Visit dynamic updates and download and install the latest. Set the appropriate schedule. We recommend hourly for anti-virus, daily for apps and threats and 15 minutes for Wildfire.
  •  
  • Visit Device->Licenses and activate your URL database

From here you are ready to configure the interfaces, routing, security policies, nat policies, security profiles, log forwarding, reporting and more.