Palo Alto Lab Guide

Version 8.0
Part-1

1
1) Instructions
2) Basic Lab setup
3) Management Interface configuration through CLI
4) GUI login & Dashboard view Details
5) View Default services enabled on Management Interface via GUI
6) Enable HTTP service on Management Interface through CLI
7) Role based access (Admin Profiles & Admin Accounts)
8) Running Config & Candidate config
9) Commit Lock and Test the Lock
10)Host name & Time setting configuration
11) Banner & Message of the day configuration
12) DNS configuration
13) Dynamic Update
14) License Management
15)Device Operations
16) Backup & Restore

3
1. Instructions
GUI ACCESS INSTRUCTION

This field is required

Invalid

commit Save changes to Running Config

CLI ACCESS MODE INSTRUCTION

Operational—Use operational mode to view information about
admin@PA-VM>
the firewall
Configuration—Use configuration mode to view and modify the
admin@PA-VM#
configuration.

4
2. Basic lab Setup
DEVICES
1. PALO ALTO (2 DEVICES)
2. ADMIN PC
3. LAN PC
4. DMZ SERVER

FIREWALL VLAN/VMNET ZONE IP ADDRESS SUBNET

INTERFACES

Ethernet 1/0 VLAN 10 / VMNET 10 MGMT 103.0.0.254/24 103.0.0.0/24

Ethernet 1/1 VLAN 11 / VMNET 11 LAN 10.11.11.10/24 10.11.11.0/24
Ethernet 1/2 VLAN 12 / VMNET 12 DMZ 172.16.10.10/24 172.16.10.0/24

Ethernet 1/3 BRIDGED WAN 192.168.3.125/24 192.168.3.0/24

Ethernet 1/4 VLAN 13 / VMNET 13 HA1 41.0.0.10/24 41.0.0.0/24

Ethernet 1/5 VLAN 14 / VMNET 14 HA2 42.0.0.10/24 42.0.0.0/24

ADMIN PC VLAN 10 / VMNET 10 MGMT 103.0.0.10/24

4
LAN PC VLAN 11 / VMNET 11 LAN 10.11.11.5/24
3. Management Interface configuration through CLI

Default login credentials through GUI & CLI

username = admin
Password = admin
Note:
▪ Login credentials are case sensitive
▪ By default IP address on PA Hardware is 192.168.1.1/24
▪ PA VM is by default configured to receive IP address from DHCP for management
Interface.
▪ To delete auto DHCP use CLI command
admin@PA-VM> configure
Entering configuration mode
[edit]
admin@PA-VM# delete deviceconfig system type dhcp-client
• Commit to save changes

4
Exiting configuration
admin@PA-VM> show interface management
admin@PA-VM> show System info

Management Interface configuration

admin@PA-VM> configure
Entering configuration mode
[edit]
admin@PA-VM# set deviceconfig system ip-address 103.0.0.254 netmask 255.255.255.0
default-gateway x.x.x.x dns-setting servers primary x.x.x.x secondary
admin@PA-VM# commit
admin@PA-VM# exit

Default Factory reset command

admin@PA-VM>request system private-data-reset
System reload command
admin@PA-VM>request restart system

System shutdown command

admin@PA-VM>request shutdown system

5
4. GUI login & Dashboard view Details
• Use browser https://103.0.0.254

6
View of Dashboard after login

7
View more information's on Dashboard

8
 View active admin session through CLI

admin@PALO_ALTO> show admins

Admin From Client Session-start Idle-for
--------------------------------------------------------------------------
admin 103.0.0.5 CLI 06/06 15:06:09 00:00:00s

To Delete admin sessions:

admin@PALO_ALTO> delete admin-sessions

8
5. View Default services enabled on Management Interface via GUI

8
 6. Enable http service on Management Interface through CLI
admin@PA-VM> configure
admin@PA-VM# set deviceconfig system service disable-http no
admin@PA-VM# commit

Note : Here (disable-http no) means to enable http service

Show Commands

admin@PA-VM# set deviceconfig system service ?

admin@PA-VM# show deviceconfig system service

10
8. Running Config & Candidate config
Palo Alto Firewall comes with following config types:
Candidate Configuration
When we make any changes to the
configuration of an existing parameters like
Security Policy, zone, Virtual router etc. in the
Palo Alto firewall and click OK , the Candidate
Configuration is either created or updated.
This type of configuration is known as
Candidate Configuration.
Running Configuration
when Commit tab at the top right corner of
Web UI of the Palo Alto Firewall is clicked the
Candidate Configuration is applied to the
running configuration of the Palo Alto firewall.
And the applied configuration is called running
configuration.
13
Change Host-Name & time-zone on the Firewall to check difference between candidate config &
Running Config

13
7. Role based access (Admin Profiles & Admin Accounts)
a. Create Admin Role Profile with name of Firewall Administrator with following Parameters

10
a. Create Admin Role Profile

11
a) Create User (user1) with password (Ab12345) & apply Admin role profile
b) Commit to changes
c) Test by logging to user1

12
9. Commit Lock and Test the Lock

The web interface supports multiple concurrent administrator sessions by enabling an

administrator. Lock the candidate or running configuration so that other administrators cannot
change the configuration until the lock is removed.
1. From the GUI get logged in with user1 & click the transaction lock icon to the right of the
commit link.

2. Click Take Lock. A Take lock window opens

3. Set the type to Commit, and click ok. The user1 lock is listed in the Locks window.

13
4. Click Close & logout on the bottom-left corner of the WebUI:
5. Return to the WebUI where you are logged in as a admin
6. Notice the lock icon Click on the icon to check locked users.
7. Now try to commit the changes it will give you an information “Other administrators are
holding device wide commit locks”.

13
10. Host name & Time setting configuration

13
11. Banner & Message of the day configuration

NOTE: Logout & re-login to see the effect.

15
12. DNS Configuration
The DNS server configuration settings are used for all DNS queries that the firewall initiates in
support of FQDN address abjects, logging & firewall managenent,.

Note: DNS configuration can be done in two ways

a) CLI
b) GUI

a) CLI
admin@PALO_ALTO> configure
admin@PALO_ALTO# set deviceconfig system dns-setting servers primary 4.2.2.2 secondary
8.8.8.8

16
DNS configuration through GUI
• Verify that 4.2.2.2 is the primary DNS Server & 8.8.8.8 is the secondary DNS Server
• Verify that updates.paloaltonetworks.com is the Update Server

16
13. DYNAMIC UPDATES

18
SOFTWARE UPDATES

19
14. License Management
Note: Internet connectivity is mandatory for licensing.

16
LICENSING

17
15. Device Operations

20
16. Backup & Restore

20
Backup has been saved locally on the Palo Alto now we need to Export on our PC.

20
Now you can see Backup file exported/Downloaded to your PC

20
Condition: After exporting Backup we did few changes on the firewall which went wrong & we
need to bring firewall to the Backup taken state.
Step 1: Import backup file

20
Step 2: Now load it back to Firewall

20
QUIZ

21
QUIZ

22
QUIZ

23
QUIZ

24
END OF MODULE THANK YOU !

25