Home
Palo Alto – Basic configuration (CLI and GUI)

Palo Alto – Basic configuration (CLI and GUI)

March 22, 2018 Palo Alto No Comments

Previously I have looked at the standalone Palo Alto VM series firewall running in AWS, and also at the Palo Alto GlobalProtect Cloud Service. Today I am going to return to some of the more basic aspects of Palo Alto devices and do some initial configuration. In subsequent posts, I’ll try and look at some more advanced aspects. I will be using the GUI and the CLI for each example (at least that’s the plan).

Accessing the configuration mode

Much like other network devices, we can SSH to the device. From there enter the “configure” command to drop into configuration mode:

admin@PA-VM> configure
Entering configuration mode
[edit] 
admin@PA-VM#

For the GUI, just fire up the browser and https to its address. By default, the username and password will be admin / admin.

Setting the hostname via the CLI

admin@PA-VM# set deviceconfig system hostname Firewall

[edit] 
admin@PA-VM#

Setting the hostname via the GUI

Head to the Device tab and click on Management, then click on the gear icon to open up the dialog box and set the hostname.

Palo Alto hostname configuration

Saving your changes

Unlike an ASA, but more like a Juniper or CheckPoint device, changes need to be committed first, before they take effect. This means that you have the chance to check over your edits and amend if necessary.

Committing changes using the CLI

admin@PA-VM# check pending-changes

yes
[edit] 
admin@PA-VM# commit

Commit job 3 is in progress. Use Ctrl+C to return to command prompt
...99%.........100%
Configuration committed successfully

[edit] 
admin@Firewall#

Now our hostname has changed. But the actual preview was not that great.

Committing changes using the GUI

The GUI seems a bit better if you want to preview your changes.

You start by pressing the Commit button, then select “Preview Changes”:

Palo Alto - preview changes

You can select how many lines before and after the change you also want to see. I do like this feature a lot, it keeps things in context.

Palo Alto - context changes

Clicking OK will bring up another window (keep an eye out for your popup blocker though):

Palo Alto preview change

If you are happy with the changes, commit them!

Palo Alto - committing changes

OK, So what else can we do? Let’s start configuring some IP addresses.

Setting interface configuration using the CLI

admin@Firewall-1# set network interface ethernet ethernet1/1 layer3 ip 172.16.5.1/24

[edit] 
admin@Firewall-1#

The syntax here is not as easy as Cisco’s, however it is easier to see which interface you are editing. How many times have you gone to edit an interface in IOS, run a few “do” commands and then had to scroll through, or use the interface command to go back into the same interface to make sure you are in the right one?

Anyway, we can see from the GUI that change has taken effect (Network > Interfaces > Ethernet):

Setting interface configuration using the GUI

Double-clicking on any interface will bring up its settings. We need to set the interface type, which defaults to Tap (I will cover the different types in a seperate post):

Configuring Palo Alto Interfaces

We then need to assign an IP address, in the GUI this is by creating a new address object:

This one is called “DMZ”:

Clicking “OK” to the windows takes us back to the main screen. The change may not appear immediately, so click on the refresh icon at the top right-hand side:

Notice that neither method required us to create a zone or virtual router, so let’s do that now.

Virtual Router configuration via the CLI

We can create a virtual router thus:

admin@Firewall-1# set network virtual-router VR1 interface ethernet1/1

[edit] 
admin@Firewall-1#

Turning to the GUI, we can see that it has been created and the interface assigned to it:

Virtual Router configuration via the GUI

If we want to create another virtual router (which I don’t) then we could click on Add at the bottom of the screen. Instead, we will just add the other interface to it:

Palo-Alto-assign-VR-2

Now both interfaces are in the same Virtual Router.
Palo Alto assign virtual router

Finally, let’s create some zones and put them in them.

Zone creation using the CLI

We will create a zone called “Inside” and add the thernet1/1 interfacr to that.

admin@Firewall-1# set zone Inside network layer3 ethernet1/1

[edit] 
admin@Firewall-1#

Let’s check it from the GUI

Palo Alto zones

Zone creation using the GUI

Palo Alto devices are pretty cool in that we can create objects required for other tasks while we are completing the first task – i.e. we need a zone for our other interface, so we could crreate the zone, then go to the interface, edit and specify the zone, or we could edit the interface and create and specify the zone. Either works.

Double click on the interface:

Creating Zones

From the drop down, select the option to create a new zone:Creating zones

Fill in the details and click on the button to add in the interface, click OK.

The interface has now been added to the zone.
Creating zones

Lastly, commit the changes!

admin@Firewall-1# commit

Commit job 10 is in progress. Use Ctrl+C to return to command prompt
...55%98%......100%
Configuration committed successfully

[edit] 
admin@Firewall-1#

Next time I will start to look at policy creation.

Tweet1
Pin
Share6
7 Shares

Related Posts

About The Author

Stuart Fordham

CCIE 49337. #CiscoChampion 2017, Author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, The Cisco ACI Cookbook and VPNs and NAT for Cisco Networks.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.