This is my basic checklist when installing a new Palo Alto firewall. I used it for a few clusters during the last weeks. It shows the steps required for a PA firewall from the unpacking until it is plugged into Panorama, the central management platform from Palo Alto.
Here is the list. This is not a full step-by-step guide. That is: I have not referenced to any commits, or the like. You should know, when to commit or when to reboot. ;)
Basics for each device separately:
- Device -> Setup -> Management: General Settings (Hostname, Domain, Time), Management Interface Settings (IP Address, Netmask, Default Gateway)
- Device -> Setup -> Services: DNS Server, NTP Server
- Device -> Licenses: “Retrieve license keys from license server”, and if PAN-DB: download and activation
Delete default configuration:
- Policies -> Security: rule1
- Network -> Virtual Wires, Zones, Interfaces
Cluster High Availability:
- Dedicated interfaces OR interface type “HA” (Network -> Interfaces)
- Device -> High Availability -> General Setup: Enable, Group ID, Peer HA1 IP Address
- Control Link (HA1): Port, IP Address, etc.
- Same for Data Link (HA2), if used
- Device -> Dynamic Updates: “Check Now”
- Install at least Applications and Threats (needed for PAN-OS upgrade), Download with “Sync To Peer”, installation on both HA devices separately
- Device -> Software: “Check Now”
- Download and Sync To Peer
- Install PAN-OS on both HA devices separately (+ reboot)
- On both HA devices: Device -> Setup -> Management -> Panorama Settings: IP Address
- On Panorama: Panorama -> Managed Devices -> Add: serial numbers of both HA devices
- Panorama -> Templates: Add the cluster to a new OR existing one
- Panorama -> Device Groups: Add the cluster to a new OR existing one
- Template -> Device -> Setup -> Services: DNS Server, NTP Server (Commit with “Force Template Values”)
- Template -> Device -> Administrators: Create at least one admin account (Superuser)
- On each HA device: Delete the admin/admin account!
- On Panorama: Template -> Device -> Dynamic Updates: Schedule all needed sections. (Commit with “Force Template Values”)
I am doing at least one “Force Template Values” commit after these installation steps. For example, this forces the DNS settings to come completely from Panorama (green symbol) and not from the overridden configuration from the local device (green/orange symbol).
Now in Panorama:
I am configuring at least two further objects for each firewall template, because they have mostly the same settings among all HA clusters:
- Templates -> Network -> Network Profiles -> Interface Mgmt: Add the needed profiles, e.g., “untrust-mgmt”, “trust-mgmt”, “only-ping”, or the like
- Templates -> Network -> Network Profiles -> Zone Protection: Add the needed profiles, e.g., “zoneprotection-untrust” and “zoneprotection-turst” with the appropriate values
Now the device is fully integrated into Panorama and can be configured through it. That is, all further settings such as interfaces and routes, objects, policies, etc., are installed through Panorama.