Previously I have looked at the standalone Palo Alto VM series firewall running in AWS, and also at the Palo Alto GlobalProtect Cloud Service. Today I am going to return to some of the more basic aspects of Palo Alto devices and do some initial configuration. In subsequent posts, I’ll try and look at some more advanced aspects. I will be using the GUI and the CLI for each example (at least that’s the plan).
Accessing the configuration mode
Much like other network devices, we can SSH to the device. From there enter the “configure” command to drop into configuration mode:
admin@PA-VM> configure Entering configuration mode [edit] admin@PA-VM#
For the GUI, just fire up the browser and https to its address. By default, the username and password will be admin / admin.
Setting the hostname via the CLI
admin@PA-VM# set deviceconfig system hostname Firewall [edit] admin@PA-VM#
Setting the hostname via the GUI
Head to the Device tab and click on Management, then click on the gear icon to open up the dialog box and set the hostname.
Saving your changes
Unlike an ASA, but more like a Juniper or CheckPoint device, changes need to be committed first, before they take effect. This means that you have the chance to check over your edits and amend if necessary.
Committing changes using the CLI
admin@PA-VM# check pending-changes yes [edit] admin@PA-VM# commit Commit job 3 is in progress. Use Ctrl+C to return to command prompt ...99%.........100% Configuration committed successfully [edit] admin@Firewall#
Now our hostname has changed. But the actual preview was not that great.
Committing changes using the GUI
The GUI seems a bit better if you want to preview your changes.
You start by pressing the Commit button, then select “Preview Changes”:
You can select how many lines before and after the change you also want to see. I do like this feature a lot, it keeps things in context.
Clicking OK will bring up another window (keep an eye out for your popup blocker though):
If you are happy with the changes, commit them!
OK, So what else can we do? Let’s start configuring some IP addresses.
Setting interface configuration using the CLI
admin@Firewall-1# set network interface ethernet ethernet1/1 layer3 ip 172.16.5.1/24 [edit] admin@Firewall-1#
The syntax here is not as easy as Cisco’s, however it is easier to see which interface you are editing. How many times have you gone to edit an interface in IOS, run a few “do” commands and then had to scroll through, or use the interface command to go back into the same interface to make sure you are in the right one?
Anyway, we can see from the GUI that change has taken effect (Network > Interfaces > Ethernet):
Setting interface configuration using the GUI
Double-clicking on any interface will bring up its settings. We need to set the interface type, which defaults to Tap (I will cover the different types in a seperate post):
We then need to assign an IP address, in the GUI this is by creating a new address object:
This one is called “DMZ”:
Clicking “OK” to the windows takes us back to the main screen. The change may not appear immediately, so click on the refresh icon at the top right-hand side:
Notice that neither method required us to create a zone or virtual router, so let’s do that now.
Virtual Router configuration via the CLI
We can create a virtual router thus:
admin@Firewall-1# set network virtual-router VR1 interface ethernet1/1 [edit] admin@Firewall-1#
Turning to the GUI, we can see that it has been created and the interface assigned to it:
Virtual Router configuration via the GUI
If we want to create another virtual router (which I don’t) then we could click on Add at the bottom of the screen. Instead, we will just add the other interface to it:
Now both interfaces are in the same Virtual Router.
Finally, let’s create some zones and put them in them.
Zone creation using the CLI
We will create a zone called “Inside” and add the thernet1/1 interfacr to that.
admin@Firewall-1# set zone Inside network layer3 ethernet1/1 [edit] admin@Firewall-1#
Let’s check it from the GUI
Zone creation using the GUI
Palo Alto devices are pretty cool in that we can create objects required for other tasks while we are completing the first task – i.e. we need a zone for our other interface, so we could crreate the zone, then go to the interface, edit and specify the zone, or we could edit the interface and create and specify the zone. Either works.
Double click on the interface:
From the drop down, select the option to create a new zone:
Fill in the details and click on the button to add in the interface, click OK.
The interface has now been added to the zone.
Lastly, commit the changes!
admin@Firewall-1# commit Commit job 10 is in progress. Use Ctrl+C to return to command prompt ...55%98%......100% Configuration committed successfully [edit] admin@Firewall-1#
Next time I will start to look at policy creation.