Palo Alto Firewall: Installation from Scratch till Panorama

This is my basic checklist when installing a new Palo Alto firewall. I used it for a few clusters during the last weeks. It shows the steps required for a PA firewall from the unpacking until it is plugged into Panorama, the central management platform from Palo Alto.

Here is the list. This is not a full step-by-step guide. That is: I have not referenced to any commits, or the like. You should know, when to commit or when to reboot. ;)

Basics for each device separately:

  1. Device -> Setup -> Management: General Settings (Hostname, Domain, Time), Management Interface Settings (IP Address, Netmask, Default Gateway)
  2. Device -> Setup -> Services: DNS Server, NTP Server
  3. Device -> Licenses: “Retrieve license keys from license server”, and if PAN-DB: download and activation

Delete default configuration:

  1. Policies -> Security: rule1
  2. Network -> Virtual Wires, Zones, Interfaces

Cluster High Availability:

  1. Dedicated interfaces OR interface type “HA” (Network -> Interfaces)
  2. Device -> High Availability -> General Setup: Enable, Group ID, Peer HA1 IP Address
  3. Control Link (HA1): Port, IP Address, etc.
  4. Same for Data Link (HA2), if used

Upgrades:

  1. Device -> Dynamic Updates: “Check Now”
  2. Install at least Applications and Threats (needed for PAN-OS upgrade), Download with “Sync To Peer”, installation on both HA devices separately
  3. Device -> Software: “Check Now”
  4. Download and Sync To Peer
  5. Install PAN-OS on both HA devices separately (+ reboot)

Panorama:

  1. On both HA devices: Device -> Setup -> Management -> Panorama Settings: IP Address
  2. On Panorama: Panorama -> Managed Devices -> Add: serial numbers of both HA devices
  3. Panorama -> Templates: Add the cluster to a new OR existing one
  4. Panorama -> Device Groups: Add the cluster to a new OR existing one
  5. Template -> Device -> Setup -> Services: DNS Server, NTP Server (Commit with “Force Template Values”)
  6. Template -> Device -> Administrators: Create at least one admin account (Superuser)
  7. On each HA device: Delete the admin/admin account!
  8. On Panorama: Template -> Device -> Dynamic Updates: Schedule all needed sections. (Commit with “Force Template Values”)

I am doing at least one “Force Template Values” commit after these installation steps. For example, this forces the DNS settings to come completely from Panorama (green symbol) and not from the overridden configuration from the local device (green/orange symbol).

Now in Panorama:

I am configuring at least two further objects for each firewall template, because they have mostly the same settings among all HA clusters:

  1. Templates -> Network -> Network Profiles -> Interface Mgmt: Add the needed profiles, e.g., “untrust-mgmt”, “trust-mgmt”, “only-ping”, or the like
  2. Templates -> Network -> Network Profiles -> Zone Protection: Add the needed profiles, e.g., “zoneprotection-untrust” and “zoneprotection-turst” with the appropriate values

Now the device is fully integrated into Panorama and can be configured through it. That is, all further settings such as interfaces and routes, objects, policies, etc., are installed through Panorama.

13 thoughts on “Palo Alto Firewall: Installation from Scratch till Panorama

  1. couple questions
    Do I need to configure anything in HA in panorama under device tab?
    also when commit configuration do I commit only active?
    also do I need to make each firewall has different IP address for public and private?

    1. Hi Mike,

      1) If you have a single firewall that you want to manage via Panorama, you do not need to do something with HA. My list just provides my steps for importing a HA-cluster into panorama. If you don’t have HA-clusters, just ignore it.
      2) If you have a HA-cluster in panorama, it automatically summarizes them as a HA-pair. When you do a commit from Panorama to the devices, you can select whether you want to commit to a single device (not recommended) or to the HA-pair.
      3) No, you don’t need different IP addresses for data interfaces. Only (!) the management interface IP address must be unique. Palo has no HA concept of “floating” or “virtual” IP addresses. It only has one single active IP address that always resides on the currently active unit.

  2. Hello,
    I have configured PA firewall version 6 on a VM ESX for training and I do not have a license yet. I am working on that with my salesperson. Anyhow I created all of my interfaces and assigned layer3 IP addresses to each of the Palo’s interface however I am not able to ping the layer 3 IP interfaces. The only one that works is my management IP address. Is this not working because I am missing the license? Thank you in advance.

    1. This is a configuration problem. You must configure an Interface Management profile (under Network -> Network Profiles -> Interface Mgmt) which allows at least ping. Then you have to bind this profile to the interface (unter Interfaces -> select your interface -> Advanced -> Management Profile).
      Cheers,
      Johannes

  3. Hello,
    We are configuring a new PA which will have its own rule set, is there any value in hosting these rules on Panorama and pushing them to the firewall or do you recommend local rules on the firewall ?
    Thanks !!

    1. It depends. If you plan to have lots of firewalls, you should use a centralized management, i.e., Panorama. If you host only one single firewall, you don’t need it.

  4. Hi Sir,

    I am new to Palo Alto Panorama M-100. My question is, how to separate management traffic from log collection, as per the admin guide the log collection can be delegated to one of the interfaces available such as eth1 or eth2, however I dont understand if I will configure an IP address to the interface for log collection and if an IP is needed will it be an IP same subnet of the management IP?.

    Thanks,

    Francis

  5. Hi,

    I have remote site PA firewalls and also Panorama, so in this case if i want to configure dhcp server/relay agent on remote site device, do i need to push it through Panorama or directly on device, please let me know. It would be great if you can explain well.

    1. Hi Bala,

      In your case if the PA Firewall is already managed by the Panorama then you can push the config via Panorama using if it has already existing Template.

      Thanks,
      Francis

  6. Please need your feedback i have PA HA pair both Management interface connect to our management layer 2 switch problem is i can access one PA through Mang IP but i cannot access other any body help me what is is issue.

    1. Hi Awais,
      the Palo Alto Management Interface is nothing more than a normal “host” interface such as any Linux machine or whatever. Have you really checked:
      – the management IPv4 address (of course it must be unique on the subnet!)
      – subnet mask
      – default gateway
      – enabled https/ssh
      – layer 2 vlan of your switch
      – and so on?

      This is probably not a Palo Alto problem, but a simple layer2/3 problem within your network of within the management port configuration.
      Cheers,
      Johannes

      1. Hi Johannes,

        Thanks for your replay i agreed with you but my concern is i have tow PA
        one is accessible with same vlan but second is not accessible same config on switch side.

  7. Hello,

    Johannes Weber & Francis
    your prompt response highly appropriated please reomend we will go Panorama config we have PA HA pair.

Leave a Reply

Your email address will not be published. Required fields are marked *