INITIAL GET STARTED RIGHT

CONFIGURATION
• Administrative controls
• Initial system access
• Configuration management
• Licensing and software updates
• Account administration
EDU-210 Version A
PAN-OS® 9.0 • Viewing and filtering logs
Agenda
After you complete this module,
you should be able to:

• Connect to the firewall and log in as admin

• Configure the network settings for the management interface port
• Describe the difference between the running config and the candidate config
• Configure dynamic firewall updates to update the applications and threats
databases
• Create a local firewall administrative account
• Access the firewall logs

2 | © 2019 Palo Alto Networks, Inc.

 Administrative controls

Initial system access

Configuration management

Licensing and software updates

Account administration

Viewing and filtering logs

3 | © 2019 Palo Alto Networks, Inc.

Initial Access to the Firewall
• Initial configuration must be performed using either:
• Dedicated out-of-band management Ethernet interface (MGT)
• Serial console connection

• Default MGT IP addressing:

• Most firewall models: 192.168.1.1/24
• VM-Series firewalls: DHCP client

• Default access:
• Username: admin
• Password: admin

4 | © 2019 Palo Alto Networks, Inc.

Administrative Access

Web Interface Panorama

SSH/Console CLI REST XML API

5 | © 2019 Palo Alto Networks, Inc.
Web Interface Functional Category Tabs

Commit Configuration
Changes Help
Portal

Logout Tasks
Button Button

6 | © 2019 Palo Alto Networks, Inc.

Web Interface Editing Guidance
Red underline shows tabs Contextual
where information is required. Help

Yellow highlights
indicate required fields.

OK button is unavailable
if required information is
missing or is invalid.

7 | © 2019 Palo Alto Networks, Inc.

 Administrative controls

Initial system access

Configuration management

Licensing and software updates

Account administration

Viewing and filtering logs

8 | © 2019 Palo Alto Networks, Inc.

Reset to Factory Configuration
• From CLI with known admin user password:
> request system private-data-reset
• Erases all logs
• Resets all settings, including IP addressing, which causes loss of connectivity
• Saves a default configuration after the MGT IP address is changed

• Without known admin user password:

• From the console port, type maint during bootup
• Choose Reset to Factory Default

9 | © 2019 Palo Alto Networks, Inc.

MGT Interface Configuration: Web Interface
Device > Setup > Interfaces > Management

Minimum configuration
Restrict administrative
requires IP address,
access to specific
netmask, and default
IP addresses
gateway.

10 | © 2019 Palo Alto Networks, Inc.

Configure General Settings
Device > Setup > Management
• Configure hostname and domain
name:
• Each defaults to the firewall model name

• The Accept DHCP… options are

available only if MGT is configured by
DHCP.
• Configure a security message in the
Login Banner (optional).
• Latitude and Longitude are used to
place the firewall on maps on the ACC
tab.

11 | © 2019 Palo Alto Networks, Inc.

Configure DNS and NTP Servers
Device > Setup > Services

• DNS server configuration is required to

reach update servers.
• NTP client configuration is optional but is
recommended.

12 | © 2019 Palo Alto Networks, Inc.

Service Routes
• By default the MGT port is used to access external services.
• Configure an in-band port to access external services (optional).

default
MGT
External Services
 Update servers
 DNS servers
optional  NTP servers
ethernet n/n  Etc.

Firewall

13 | © 2019 Palo Alto Networks, Inc.

Configuring Service Routes
Device > Setup > Services > Service Route Configuration

14 | © 2019 Palo Alto Networks, Inc.

 Administrative controls

Initial system access

Configuration management

Licensing and software updates

Account administration

Viewing and filtering logs

15 | © 2019 Palo Alto Networks, Inc.

 Configuration Types

Candidate Configuration Running Configuration

• Configuration changes made but not • Configuration settings currently active

committed on the firewall

16 | © 2019 Palo Alto Networks, Inc.

Global Configuration Management

Device > Setup > Operations

• These operations are global in
scope and not per-admin.
• Revert, Save, and Load operations
all manage configurations local to
the firewall.
• Export operations export
configurations from the firewall to
the host running the web interface.
• Import operations import
configurations from the firewall to
the host running the web interface.

17 | © 2019 Palo Alto Networks, Inc.

Configuration Operations

Data-plane Running
memory Configuration

Running commit
Control-plane Configuration Candidate
revert
memory auto-commit Configuration

boot
save named
export load named MGT
.xml files

import
admin1 admin2

18 | © 2019 Palo Alto Networks, Inc.

Configuration Operations Device > Setup > Operations

Save
Save named
candidate
configuration snapshot
configuration
Commit

Create time-stamped snapshot Overwrite existing Save file as

<date>.snapshot.xml snapshot.xml “filename”.xml

Revert to Load Revert to last saved Load named

running configuration configuration configuration snapshot
configuration version
(undo
changes prior
to commit)

19 | © 2019 Palo Alto Networks, Inc.

Admin-Level Commit

• View and commit all

administrators’ changes:
• Requires proper permissions
Changes made
by one or more • View and commit only
administrators selected administrator
changes

20 | © 2019 Palo Alto Networks, Inc.

Performing a Per-Admin Commit

admin user changes

ZoneAdmin user changes

admin user changes

21 | © 2019 Palo Alto Networks, Inc.

Admin-Level Save and Revert

• Save changes in progress without

committing:
• Per-admin or all changes

• Revert changes to previous saved

configuration:
• Per-admin or all changes

22 | © 2019 Palo Alto Networks, Inc.

 Preview and Validate Changes

• Preview Changes compares

the candidate configuration to
the running configuration.
• Change Summary lists the
individual settings for which
you are committing changes.
• Validate Commit shows any
error messages that would
appear during a commit.

23 | © 2019 Palo Alto Networks, Inc.

Transaction Locks for Multiple Admins
• Commit lock: Blocks other admins from committing the candidate configuration
• Config lock: Blocks other admins from changing the candidate configuration

24 | © 2019 Palo Alto Networks, Inc.

 Administrative controls

Initial system access

Configuration management

Licensing and software updates

Account administration

Viewing and filtering logs

25 | © 2019 Palo Alto Networks, Inc.

Activate the Firewall
Step
Register with Palo Alto
Networks Support
Activate licenses at
Device > Licenses
Verify update and DNS
servers
Manage content updates
Install software updates
26 | © 2019 Palo Alto Networks, Inc.
Hardware Firewall VM-Based Firewall
Use serial number from Use emailed auth codes and
Dashboard purchase/order number
Retrieve license keys from Activate feature using
license server authorization code
Use correct update and DNS server in Device > Setup >
Services
Get latest application and threat signatures and URL
filtering database
Verify OS version and install recommended version
Dynamic Updates

Device > Dynamic Updates

Schedule checking for

new content, and
automatic download or
download and install.

27 | © 2019 Palo Alto Networks, Inc.

 PAN-OS Software Updates

Device > Software

1. Check Now to
list new
software.
2. Download from
update server
or Upload from
local machine.
3. Install
software.

28 | © 2019 Palo Alto Networks, Inc.

 Administrative controls

Initial system access

Configuration management

Licensing and software updates

Account administration

Viewing and filtering logs

29 | © 2019 Palo Alto Networks, Inc.

Administrator Account and Role Repositories
• Firewall can authenticate
locally or remotely defined Administrative
administrators. user
• Each administrative account
is assigned a role with
specific privileges.
Authentication Admin Role
• Administrator actions are
logged in the Configuration
and System logs:
• Monitor > Logs Local Remote Custom Dynamic
Account Account Role Role
and and
Password Password

30 | © 2019 Palo Alto Networks, Inc.

 Creating an Administrator Role
• Roles define Device > Admin Roles > Add
administrative
privileges on the
firewall.
• Two types:
• Dynamic: Predefined
permission sets:
• superuser
• superuser (read only)
• device administrator
• device administrator
(read only)
• Role Based: Custom
permission sets Creating a Role Based Role
31 | © 2019 Palo Alto Networks, Inc.
Creating a Local Administrator Account

Device > Administrators > Add

32 | © 2019 Palo Alto Networks, Inc.

Creating a Non-Local Administrator Account

Device > Administrators > Add

Password
maintained in
external service

33 | © 2019 Palo Alto Networks, Inc.

Firewall Authentication of Non-Local Passwords

Server Profile: Yes Another

Authentication
• Locate authentication server Profile?

Authentication Profile:
• Communicate with authentication No
server
Password
Login fail authentication
Authentication Sequence: checked
• List of Authentication Profiles

No No

Authenticate Read optional Go to first/next Server Yes Yes

Account
non-local Authentication Authentication Profile
found?
password Sequence Profile found?

34 | © 2019 Palo Alto Networks, Inc.

Configuring Server Profiles
Device > Server Profiles

35 | © 2019 Palo Alto Networks, Inc.

 Configuring Authentication Profiles

Device > Authentication Profiles

36 | © 2019 Palo Alto Networks, Inc.

Configuring an Authentication Sequence
Device > Authentication Sequence > Add

Check Active
Directory,
then RADIUS

37 | © 2019 Palo Alto Networks, Inc.

 Administrative controls

Initial system access

Configuration management

Licensing and software updates

Account administration

Viewing and filtering logs

38 | © 2019 Palo Alto Networks, Inc.

Accessing Firewall Logs

Monitor > Logs

• Each firewall maintains

multiple log types.

39 | © 2019 Palo Alto Networks, Inc.

Constructing a Log Filter
• Click any link in the log listing to add that item as a log filter option.

Runs a query Clears the

using the filter existing filter
Monitor > Logs > Traffic

40 | © 2019 Palo Alto Networks, Inc.

Add Log Filter
Download log
Monitor > Logs > Traffic
in CSV format.

41 | © 2019 Palo Alto Networks, Inc.

Module Summary
Now that you have completed this module,
you should be able to:

• Connect to the firewall and log in as admin

• Configure the network settings for the management interface port
• Describe the difference between the running config and the candidate config
• Configure dynamic firewall updates to update the applications and threats
databases
• Create a local firewall administrative account
• Access the firewall logs

42 | © 2019 Palo Alto Networks, Inc.

Questions?

Q
Q &&
AA
43 | © 2019 Palo Alto Networks, Inc.
Initial Configuration Lab (Pages 11-23 in the Lab Guide)
• Load a firewall lab configuration file
• Create an admin role
• Create an administrator account
• Manage commit locks
• Manage external firewall services
• Schedule dynamic updates

44 | © 2019 Palo Alto Networks, Inc.

 PROTECTION. DELIVERED.

45 | © 2019 Palo Alto Networks, Inc.

 This page intentionally left blank

46 | © 2019 Palo Alto Networks, Inc.