Palo Alto Initial Setup

1) Default IP of Palo Alto is 192.168.1.1.

2) Log in using the defaults: Username: admin Password: admin.
3) Navigate to Device > Setup > Interfaces > Management and change management IP and permitted IP address range

4) Navigate to Device > Setup > Services, Click edit and add a DNS server

5) Configure a more secure administrator password using Device >Administrators.

6) Go to the Device > Setup -> Management tab. In the General Setting section, click the Edit ( ) icon to edit the settings. Enter the current date and time, and the
appropriate time zone.
7) Commit the changes and connect Palo Alto to your existing network
8) Create an account in Palo Alto portal
9) Go to https://support.paloaltonetworks.com and click the "Create my account" button.
10) Enter your email address and respond to the captcha.
11) Select the option for Device Registration: Register device using Serial Number or Authorization Code
12) Complete the New User Registration form.
13) Please accept The End User Agreement to create the user account.
14) You will receive an email that contains a link to activate your user account. The account Super Users will receive notification of your new account.
15) Click the activation link.
16) You will be taken to the account home tab.
17) Once you make a purchase, convert your Eval account to a production Support account by providing the serial number or auth code and Sales Order or Customer
number on the company page.  To do this, go to Account Management > Account Details to complete this action.
18) Now Register the device
19) Visit the Palo Alto Support page https://support.paloaltonetworks.com/ and click on the Sign In link at the top right corner of the page. On the next page, click on the Go
to portal button:
20) Next, enter your Email Address and Password to complete the login process.
21) Now click on the Register a Device button
22) On the next page select the Device Type. Select the correct Device Type. We selected Register device using Serial Number or Authorization Code to register our firewall
appliance. When ready, click on the Next button
23) Now provide the device Serial Number, Device Name (provide a meaningful name to help distinguish this device from other devices) and Location information for RMA
purposes
24)  Click on the Agree and Submit button at the bottom right of the page
25) Now activate licenses.
26) You will now activate your licenses. Go to Device > Licenses. The following screen will appear
27) Select Activate feature using authorization code. Locate the email you received from Palo Alto Networks customer service that lists the subscriptions you purchased, and the
associated activation codes. Enter the codes now. After you enter each code, confirm that the license was accepted
28) After you finish activating your subscriptions, you can download and install the latest version of PAN-OS. Select Device > Software and then select the version of PAN-OS
software that your Sales Engineer recommends you install. Click Download. After the download completes, you will see a check mark in the Downloaded column and the
value in the Action column changes to Install
29) Click Install to upgrade the PAN-OS software on the device.
30) To download the latest databases, select Device > Dynamic Updates and click Check Now. You will see an updated list of the various databases
31) You will not be able to download the AV database until the Application and Threats database is installed.
32) Download the latest Application and Threats database, and then Install it.
33) Now we will configure HA
34) Connect the HA ports to set up a physical connection between the firewalls.
35) For firewalls with dedicated HA ports, use an Ethernet cable to connect the dedicated HA1 ports and the HA2 ports on peers. Use a crossover cable if the peers are directly
connected to each other.
36) For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and the backup HA1 link. Then, use an Ethernet cable to connect these in-band HA
interfaces across both firewalls.
37) Use the management port for the HA1 link and ensure that the management ports can connect to each other across your network.
38) Enable ping on the management port.
39) Enabling ping allows the management port to exchange heartbeat backup information.
40) Select Device>Setup>Management and edit the Management Interface Settings.
41) Select Ping as a service that is permitted on the interface.
42) If the firewall does not have dedicated HA ports, set up the data ports to function as HA ports.
43) For firewalls with dedicated HA ports continue to the next step.
44) Select Network >Interfaces.
45) Confirm that the link is up on the ports that you want to use.
46) Select the interface and set Interface Type to HA.
47) Set the Link Speed and Link Duplex settings, as appropriate.
48) Set the HA mode and group ID.
49) Select Device>High Availability>General and edit the Setup section.
50) Set a Group ID and optionally a Description for the pair. The Group ID uniquely identifies each HA pair on your network. If you have multiple HA pairs that share the same
broadcast domain you must set a unique Group ID for each pair.
51) Set the mode to Active Passive.
52) Set up the control link connection.
53) This example shows an in-band port that is set to interface type HA.
54) For firewalls that use the management port as the control link, the IP address information is automatically pre-populated.
55) In Device>High Availability>General, edit the Control Link (HA1) section.
56) Select the Port that you have cabled for use as the HA1 link.
57) Set the IPv4/IPv6 Address and Netmask.
58) If the HA1 interfaces are on separate subnets, enter the IP address of the Gateway. Do not add a gateway address if the firewalls are directly connected or are on the same
VLAN.
59) Set up the backup control link connection.
60) In Device>High Availability>General, edit the Control Link (HA1 Backup) section.
61) Select the HA1 backup interface and set the IPv4/IPv6 Address and Netmask.
62) Set up the data link connection (HA2) and the backup HA2 connection between the firewalls.
63) In Device>High Availability>General, edit the Data Link (HA2) section.
64) Select the Port to use for the data link connection.
65) Select the Transport method. The default is ethernet, and will work when the HA pair is connected directly or through a switch. If you need to route the data link traffic
through the network, select IP or UDP as the transport mode.
66) If you use IP or UDP as the transport method, enter the IPv4/IPv6 Address and Netmask.
67) Verify that Enable Session Synchronization is selected.
68) Select HA2 Keep-alive to enable monitoring on the HA2 data link between the HA peers. If a failure occurs based on the threshold that is set (default is 10000 ms), the
defined action will occur. For active/passive configuration, a critical system log message is generated when an HA2 keep-alive failure occurs.
69) You can configure the HA2 keep-alive option on both firewalls, or just one firewall in the HA pair. If the option is only enabled on one firewall, only that firewall will send the
keep-alive messages. The other firewall will be notified if a failure occurs.
70) Edit the Data Link (HA2 Backup) section, select the interface, and add the IPv4/IPv6 Address and Netmask.
71) Enable heartbeat backup if your control link uses a dedicated HA port or an in-band port.
72) You do not need to enable heartbeat backup if you are using the management port for the control link.
73) In DeviceHigh AvailabilityGeneral, edit the Election Settings.
74) Select Heartbeat Backup.
75) Set the device priority and enable preemption.
76) This setting is only required if you wish to make sure that a specific firewall is the preferred active firewall. For information, see Device Priority and Preemption.
77) In Device>High Availability>General, edit the Election Settings.
78) Set the numerical value in Device Priority. Make sure to set a lower numerical value on the firewall that you want to assign a higher priority to.
79) Select Preemptive.
80) You must enable preemptive on both the active firewall and the passive firewall.
81) Enable HA.
82) Select Device>High Availability>General and edit the Setup section.
83) Select Enable HA.
84) Select Enable Config Sync. This setting enables the synchronization of the configuration settings between the active and the passive firewall.
85) Enter the IP address assigned to the control link of the peer in Peer HA1 IP Address.
86) For firewalls without dedicated HA ports, if the peer uses the management port for the HA1 link, enter the management port IP address of the peer.
87) Enter the Backup HA1 IP Address.
88) Save your configuration changes.
89) Click Commit.
90) After you finish configuring both firewalls, verify that the firewalls are paired in active/passive HA.
91) Access the Dashboard on both firewalls, and view the High Availability widget.
92) On the active firewall, click the Sync to peer link.
93) Confirm that the firewalls are paired and synced, as shown as follows:
94) On the passive firewall: the state of the local firewall should display passive and the Running Config should show as synchronized.
95) On the active firewall: The state of the local firewall should display active and the Running Config should show as synchronized.