How to Install and Configure Windows, VMware, Virtualization and Cisco on
Author: Bob Lin
Bob Lin, Chicagotech-MVP, MCSE & CNE
Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on
http://www.ChicagoTech.net
How to Install and Configure Windows, VMware, Virtualization and Cisco on
http://www.HowToNetworking.com
Resetting Palalto firewall to factory defaults will result in the loss of all configuration settings and logs. This article shows how to do so step by step.
1.Save
and export the current configuration.
* Login to the web interface, for example https://192.168.11.11
* Go to Device>Setup to save and
export configuration
2. Connect a serial cable from your
computer to the Console port
3. Run Purty or
any terminal emulation software (9600-8-N-1).
4. Enter
your login credentials
. Enter the following CLI command:
debug system maintenance-mode
The firewall will reboot in the
maintenance mode.
Type Y and press Enter
6. To enter the maintenance mode,
you need to type “maint” and press Enter.
Then press ENTER to select.
7. Select Factory Reset and then press Enter
8. A warning message will be shown
along with factory reset option. Highlight Factory reset and
press Enter.
9. The reset is progressing in percentage
10. When the reset finishes, you
have options to Back or Reboot.
Select Reboot and press Enter
11. After the booting,
the firewall in default login. Enter the default username and password:
admin/admin to login.
12. You have an option to change the default password
13. Now, you are ready to
re-configure the Paloalto firewall.
Your initial configuration on PA firewall may use MGT interface to access external services such as DNS server, content updates, and license retrieval. If you do not want to enable external network access to your management network, you must set up an in-band data port to provide access to required external services. This article shows how to do so.
1. Login to the web interface, for
example https://192.168.11.11
2. Delete default virtual wire
interface.
The PA firewall comes preconfigured
with a default virtual wire interface between ports Ethernet 1/1 and Ethernet
1/2 (and a corresponding default security policy and zones). We will delete
them.
* Delete the default security
policy by selecting Policies>Security,
select the rule, and click Delete
* Delete the default virtual wire,
select Network>Virtual Wires byselecting
the virtual wire and click Delete
* Delete the default trust and
untrust zones, select Network>Zones by selecting each zone and click Delete.
* Delete the interface
configurations, select Network>Interfaces and
then select each interface (ethernet1/1 and ethernet1/2) and click Delete.
* Commit the changes
3. Configure the interface for external access to management services. * Select Network>Interfaces>Ethernet and then the interface that corresponds to the port you want to use to access external services, ethernet1/1 in our example.
* Select the Interface Type, Layer3 in our example.
*
In the Config tab,
expand the Security Zone drop-down and select New Zone.
* In the Zone dialog, enter a Name for new zone, for example untrust, and
then click OK.
* Select the IPv4 tab, select the Static radio button, and click Add in the IP section.
* Enter the IP address and network mask to assign to the interface, for example 192.168.11.12/24.
* Select Advanced>Other Info, expand the Management Profile drop-down, and select New Management Profile.
•A Name for the profile, such as Managing, and then select the services you want to allow on the interface.
•Note: in most cases, you probably only need to enable Ping.
•Click OK.
* To save the interface configuration, and then Commit.
4. Configure the service routes such as DNS, Palo Alto Networks Services, URL Updates, and AutoFocus – this is option only if you don’t want to use Management profile.
• Select Device > Setup > Services and click Service Route Configuration.
5. Configure an external-facing interface and an associated zone.
•Select Network>Interfaces and then select the external-facing interface, ethernet1/1 in our example.
•Select Layer3 as the Interface Type
•On the Config tab, create the associated Security Zone, such as untrust.
Click on IPv4 and add the IP address
• Close the interface configuration and it looks like this.
6. Create a security policy rule to
allow the firewall to send service requests from the internal zone to the
external zone, Trust to Internet in our example.
7. To save
the configuration, click
on Commit.
8. Test by accessing Update Server Connectivity
•Select Device>Troubleshooting
•Select Update Server from the Select Test drop-down.
•Execute the Palo Alto Networks Update Server connectivity test.
* Also Access the firewall CLI, and
use the following command to retrieve information on the support entitlement
for the firewall from the Palo Alto Networks update server:
request support check
* If the configuration is correct,
the update server will respond with the support status for your firewall.
Because your firewall is not registered, the update server will return the
following message:
If you have connectivity, the update
server will respond with the support status for your firewall. Because your
firewall is not registered, the update server will return the following
message:
It depends on your expertise and network environment. For home business and small business without Domain controller, we recommend to run DHCP/DNS on the Router.
If the company has Domain Controllers, we recommend to use Windows Server as DHCP/DNS server because it is quicker and easier to administer and troubleshoot as you can go through logs and Event Viewer. Also, if you have two Windows domain controllers, you can configure two DHCP servers for redundancy.
You must activate PA licenses for each of the services you purchased before you can start using the firewall to secure the traffic on your network. This article shows how to do so.
•You have two options: Register device using Serial Number or Authorization Code and Register usage-based VM-Series models (hourly/annual) purchased from public cloud Marketplace or Cloud Security Service Provider (CSSP)
•Check the option you want and click Next.
* Enter the Device information such
as Serial Number, Device Name, and Device Tag.
•Enter
Location Information and then click on Agree and Submit.
Step 2: Run day 1 Configuration
* After registering the device, you have an
option to Run Day 1 config.
* Please enter the Serial Number of
the device you just registered to create a Day 1 Configuration
Note: Placing a Day 1 Configuration
on your firewall will replace any other configurations currently in place
* Click Confirm Serial Number to
continue.
* Enter the Setup information such as S/N, Device Type, PAN-OS Version, and Hostname.
•Enter
the Management Type and info.
* Click Generate Config file.
* Paloalto Customer Support
generates the configuration file.
Step 3: Active the PA support
license
* Login PA Firewall web interface
* Device>Support
* Click Activate support using authorization code.
* Enter your Authorization Code and
then click OK
* Now, Support page shows Support ExpiryDate,
Level, and Description.
Step 4: Activate purchased license
•Go to Device>Licenses •Retrieve license keys from license server—Use this option if you activated your license on the Customer Support portal.
•Enter
authorization code to activate other features.
* This is what look like after
activate the license and features, which confirms that the license is
successfully activated
After you have already registered the PA device, you have an option to run access the Day 1 Configuration tool which helps build a sturdy baseline configuration by providing templates that introduce best practice configuration as a foundation on which the rest of the configuration can be built. This article will show you how to run it and upload to the device.
Step 1: Run Day 1 Configuration
* After registering the device, you have an option to Run Day 1 Config.
* Please enter the Serial Number of
the device you just registered to create a Day 1 Configuration
Note: Placing a Day 1 Configuration
on your firewall will replace any other configurations currently in place
* Click Confirm Serial Number to continue.
* Enter the Setup information such as S/N, Device Type, PAN-OS Version, and Hostname.
•Enter
the Management Type and info.
•Enter
Logging info.
* Click General Config file.
* Paloalto Customer Support
generates the configuration file.
Step 2: Import the prepared Day 1 Configuration file
onto your firewall.
* Go to Device>Setup>Operations.
•Click
Import named configuration snapshot
* Click Browse…
* Select the Day 1 configuration
file, day1config.xml in our example.
* Click OK to import the day 1
config file.
* The config file is uploading.
* Imported is successful.
•Step 3: Upload imported day 1 config file
• In Device>Operations, click Load named configuration snapshot.
* Click narrow down key and select the
imported file, day1config in our example
* Click OK to upload the config
file.
* The config file has been
uploaded. Click Close and refresh the page.
This article shows you how to configure Paloalto Firewall base on PA-800 Series. We will configure the firewall MGT interface, DNS, NTP, and verify the firewall can access to external services.
Step 1: Access the firewall
There are different ways to configure
Paloalto firewall.
1. Use a serial cable and terminal
emulation software (9600-8-N-1)
Connect a serial cable from your
computer to the Console port
Run a firewall using terminal emulation
software (9600-8-N-1) such as putty.
To find COM port #, you may run Device Manager and then navigate to Ports.
When the firewall in power on and ready, it prompts login.
Note: The default username/password are admin/admin.
For security reasons, you must
change the password before continuing with other firewall configuration tasks.
2. Use RJ-45 Ethernet cable and an
Internet Browser.
Connect an RJ-45 Ethernet cable
from your computer to the MGT port on the firewall.
From an Internet browser, go to https://192.168.1.1 which is the default IP address. Then click on Advanced.
Click on Process to 192.168.1.1.
Type the default user and password
admin/admin. Then click login.
Step 2: Configure the MGT interface
using browser
Navigate toDevice>Setup>Interfaces
Click on management. You have
options to setup Static IP address, netmask, default Gateway, Speed, MUT,
Administrative Management Services such as HTTPS, SSH, and Network Services
such as Ping, SNMP.
Click OK to close the configuration. Click on Commit to save the
settings
Step 3: Configure DNS, update server, and proxy server settings.
Navigate
to Device>Setup>Services
Click on Settings icon.
You have options to setup Update
Server, DNS settings, Proxy Server
Click NTP tab, you can setup NTP server.
Step 4: Add admin user and change
admin password
GotoDevice>Administrators
Click on Add icon. You have options
to choose the name, Authentication Profile, password, Administrator type, and Password
Profile.
Step 5: Test the Internet
connection
* After Commit the configuration, Disconnect the firewall from your computer.
• Connect the MGT port to a switch port on your LAN or Router using an RJ-45 Ethernet cable.
•Make sure that the switch port you cable the firewall to is configured for auto-negotiation.
•Run a terminal emulation software, such as PuTTY, launch an SSH session to the firewall using the new IP address you assigned to it
With the Mitel Connect, you may have Desk phone and Softphone options. If you don’t have Softphone, your Mitel administrator needs to enable it in Mitel Connect Director.
1. With Mitel Connect Director, click on Tool icon.
2. Navigate to Users>Users
3. Double click on the user you
want to enable Softphone.
4. Click TELEPHONY
5. Move down until you see Enable use of softphone.
