This article is the second-part of our Palo Alto Networks Firewall technical articles. Our previous article was introduction to Palo Alto Networks Firewall appliances and technical specifications, while this article covers basic IP management interface configuration, DNS, NTP and other services plus account password modification and appliance registration and activation.
The introduction of Next Generation Firewalls has changed the dimension of management and configuration of firewalls, most of the well-known Firewall vendors have done a major revamp, be it the traditional command line mode or the GUI mode.
Palo Alto Networks is no different to many of those vendors, yet it is unique in terms of its WebUI. It’s a whole new experience when you access the WebUI of Palo Alto Networks Next-Generation Firewalls.
In order to start with an implementation of the Palo Alto Networks Next-Generation Firewalls one needs to configure them. Palo Alto Networks Next-Generation Firewalls can be accessed by either an out-of-band management port labelled as MGT or a Serial Console port (similar to Cisco devices). By using the MGT port, one can separate the management functions of the firewall from the data processing functions. All initial configurations must be performed either on out-of-band management interface or by using a serial console port. The serial port has default values of 9600-N-1 and a standard roll over cable can be used to connect to a serial port.
Figure 1. Palo Alto Networks Firewall PA-5020 Management & Console Port
By default, Palo Alto Networks Next-Generation Firewalls use MGT port to retrieve license information and update the threats and application signature, therefore it is imperative the MGT port has proper DNS settings configured and is able to access the internet.
To access the Palo Alto Networks Firewall for the first time through the MGT port, we need to connect a laptop to the MGT port using a straight-thru Ethernet cable. By default, the web gui interface is accessed through the following IP Address and login credentials (note they are in lower case):
- MGT Port IP Address: 192.168.1.1 /24
- Username: admin
- Password: admin
For security reasons it’s always recommended to change the default admin credentials. Until this condition is satisfied, the Palo Alto Networks Firewall alerts the administrator to change the default password every time he logs in, as shown in the screenshot below:
Figure 2. Palo Alto Networks Firewall alerts the administrator to change the default password
Performing the Initial Setup in Palo Alto Networks Firewall Check List
Below is a list of the most important initial setup tasks that should be performed on a Palo Alto Networks Firewall regardless of the model:
Change the default login credentials
Configure the management IP Address & managed services (https, ssh, icmp etc)
Configure DNS & NTP Settings
Register and Activate the Palo Alto Networks Firewall
Let’s take a look at each step in greater detail.
Change the Default Login Credentials
Step 1: Establish connectivity with the Palo Alto Networks Firewall by connecting an Ethernet cable between the Management and the laptop’s Ethernet interface.
Step 2: Configure the laptop Ethernet interface with an IP address within the 192.168.1.0/24 network. Keep in mind that we’ll find the Palo Alto Networks Firewall at 192.168.1.1 so this IP must not be used.
Step 3: Open a web browser and navigate to the URL https://192.168.1.1 – Take note that this is an HTTPS site. At this point the Palo Alto Networks Firewall login page appears.
Step 4: Enter admin for both name and password fields.
Step 5: From the main menu, click Device > Administrators > admin
- Type the old password in the Old Password field
- Type the new password in the New Password field
- Type new password in the Confirm New Password field
- Click ok
Configure The Management IP Address & Management Services (HTTPS, SSH, ICMP)
At this point we have connectivity to the Palo Alto Networks Firewall and need to change the management IP address: