Palo Alto

Lab Prepration Guide V1.0

First Edition
LAB 1 Initial Configuration
Initial configuration must be performed over dedicated out-of-band management interface (MGT) or
a console connection. By default, the firewall has an IP address of 192.168.1.1 on management
interface and a username/password of admin/admin.

Username: admin

Password: admin

admin@PM-VM> show interface management

Change your management ip according to topology

Step1- Go to Configuration mode

>configure

Step2- Change ip address on management port

#set deviceconfig system ip-address 192.168.10.100 netmask 255.255.255.0

#commit

Step3- verify

#run show interface management

If you cabled your MGT port for external network access, verify that you have access to and from the
firewall by using the ping utility from the CLI.

Note:- when you are not specifying source while doing ping, it’ll take management ip address in
source.

On host machine you can access web-GUI of firewall

Open browser > https://192.168.10.100

By default Web-GUI username & password is admin/admin

After login you will able to see Dashboard of PA firewall

Lab 2:- General Settings & Services
How to change hostname, Login Banner, Date & time.

By GUI

Go to Device > Setup > Management and edit General Settings

 By CLI

Time & Date

Note: System clock changes occur immediately and do not require a commit.

1- How to change default Password

Step1- Launch the Internet browser on your computer and enter https://192.168.1.1.

Step2- Type admin in both the Name and Password fields & Click Login.

Step3- Go to Device > Administrators > admin.

Step4- Type the old password in the Old Password field.

Type the new password in the New Password field.

Type the new password again in the Confirm New Password field.

Click OK
2- DNS and NTP setting
Step1- go to device > setup >services > edit

Step2- enter primary and secondary DNS server

Step3- For NTP setting, so to NTP tab, enter primary and secondary NTP server

Step4- Click on OK and Commit the changes.

3- Service route configuration
Overview

By default, the firewall uses management interface to communicate to various servers including
DNS, Email, Palo Alto Updates, User-ID agent, Syslog, Panorama etc. Service routes are used so that
the communication between the firewall and servers go through the dataplane.

Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

Web UI
Go to Device > Setup > Services > Service Route Configuration and configure the
appropriate service routes.

To configure service routes for non-predefined services, the destination addresses can be manually
entered, as shown below:
LAB 3 How to Factory Reset a Palo Alto Firewall
Note- Before factory reset, save all configuration, logs etc.

Method –A (By Console Port)

Step1- Connect to firewall through console port.

Step2- Power on to reboot the device.

Step3- During the boot sequence, the screen should look like this:

Step 4- Type maint to enter maintenance mode.

Step5 -In maintenance mode, the following displays:

Step6- Click Enter to display the menu:

Step7-Select Factory Reset and click Enter again.

The firewall will reboot without any configuration settings. The default username and password to
log in to the firewall is admin/admin.

Method B- (By SSH)

Step1- Check management ip address

>show sytem info

Step2- Reboot your Palo Alto Networks device into maintenance mode with

>debug system maintenance-mode:

Step3- Open putty and access firewall by management ip

User: maintd

Password: Serial# ----------------Enter serial no. in password

Step3-The screenshot below shows an established SSH connection in maintenance mode:

Step4- Follow same steps as previous method (Method-A)