Monday, July 23, 2018
By Charles Buege, a Fuel User Group member
Charles Buege is a Fuel User Group member who has a home lab setup unlike most others. Using a commercial internet provider and running multiple firewalls, his home lab gives him plenty of hands-on learning experience that can translate into his daily work environment. Here he shares how he set up the Palo Alto Networks PA-220 next-generation firewall. Be sure to read his other Fuel blog post, “My Journey to SSL Decryption.”
I recently set up the PA-220 Palo Alto Networks Firewall and would like to go over its setup and configuration for your home lab. My intention is to share the necessary commands to get you up and running as quickly as possible, allowing you to avoid some of the minor mistakes I made in the process.
First off, my home network is not like a typical home network. For starters, I have a commercial provider for my home internet so I can have static IP addresses. Second, I’ve got a couple — yes, multiple! — firewalls running at home. I have two PA-220s, a Cisco 5505 and a Cisco Meraki MX. Why, you may ask? I want to be able to work with as many possible configurations of IPSec tunnels and secure connections out there, so I know when I use those same skills at work that I’m able to get the job done as quickly as possible to meet my employer’s demands. That, and I’m a techie geek. I love technology. I am about four months behind on the Visio documentation of my home network. And yes, it is that complex I need to do that.
I want to start off by giving you several pieces of advice to make your life easier.
First, don’t make things harder on yourself than they have to be. The PA-220 Palo Alto Networks Firewall comes pre-configured with 192.168.1.0/24 configuration, so if you directly attach an Ethernet cable, you can save yourself a LOT of work trying to get the console cables working correctly and just use the simple web interface. These following steps are for those of you who want to know the other ways to do this.
Second, don’t forget the standard of 96-8-1-N-N that most serial devices default to out of the box. These are the settings you put into putty, Hyper-Terminal or whatever other serial communication program you use to connect to the PA-220 Palo Alto Networks Firewall to do your basic configuration. In greater detail, I mean the following:
9600 baud (speed)
8 Data bits
1 Stop Bit
No Parity Bit
No Flow Control (Hardware NOR Software)
Which leads to the shorthand of 96-8-1-N-N that I try to remember but always seem to forget when doing this.
Another good indicator that you may not have this properly setup is if you see random high-ASCII characters in your console window. It means you’re close but not quite there.
Third, if you’re like me, you’ve got your PA-220 near other computers in your home lab environment. In my case, my PA-220 that I’m working with for this demo is right next to an ESXi host that has a Windows 2012R2 virtual machine running on it. I thought, “Great! I’ll just attach my console cable from the RJ-45 in the front of the PA-220 to the serial port on my host, add a serial port to my VM, and ‘POOF!’ I’ll be able to just putty into the box any time I need to.”
Well, I was close. For some reason, the ESXi host I am using — a Dell PowerEdge R620, which has a single serial port on the back of it — does not have itself configured in the ESXi host on ‘/dev/char/serial/uart0’ (the default), as I would have expected.
After fighting with this for about a half an hour — thinking that my RJ-45 console port in my PA-220 was disabled for some reason since I couldn’t get it to work on my laptop as well — I made this realization that I had to choose the ‘/dev/char/serial/uart1’ option, changed it to that, and…TADA! It works fine now.
A quick aside: My laptop not connecting via the RJ-45 on the front and my laptop connecting via the USB micro cable that came with the PA-220 was also because I didn’t remember my own shorthand of ’96-8-1-N-N’. I forgot that putty’s default of Flow Control is ‘XON/XOFF.’
Now, on to the configuration of the device. Let’s get this baby going!
As the PA-220 boots, you will be prompted with several potential prompts to log into. Be patient, grasshopper. It takes a long time for this guy to fully boot up the first time. After a while, you will want to press Enter to force a prompt to show up. In my experience, it goes from 220 login:, to PA-HDF login:, to the final prompt of PA-220 login:. Don’t bother trying to log in until the prompt reads PA-220 login:.
Once you get the PA-220 login: prompt, enter the default credentials of admin/admin. The first thing you’ll want to do is set an IP address, netmask and gateway on the management interface so you can get in via a web browser. Issue the following command replacing your own IP address, netmask, and gateway with your own configuration needs:
configure – This will put you into configuration mode.
set deviceconfig system ip-address 10.241.0.102 netmask 255.255.0.0 default-gateway 10.241.0.254 dns-setting servers primary 220.127.116.11 secondary 18.104.22.168 – This sets the IP address of the management interface, sets the netmask, sets the gateway, and then the primary and secondary DNS servers. To be clear, set these values to whatever is accurate for your network - these are my values.
If you’re like me and have putty larger than the default screen size, you may see the prompt “jump back” on you. Don’t be surprised – this happens.
At this point, one would expect the pings to start responding, correct? Yep, except for one minor issue: How do you make any changes stick on a Palo Alto firewall? Ding, ding, ding — we have a winner! We need to commit. Issue the commit command and your ping will start responding (after the 90-120 seconds that the commit takes, as well as any ARP lookups that need to build).
Congrats. You now have a PA-220 that you can open in a web browser. I go to the URL of https://10.241.0.102. Don’t forget to specify the “https://” – the PA-220 is not set up to auto-redirect the “http” request to an “https.” Here’s how mine looks:
Yep – you have to accept the default self-signed certificate. Click “Advanced,” then “Proceed to 10.241.0.102 (unsafe)” and you’ll get a login prompt. Log in with admin/admin and right off the bat you’ll get a reminder to use the default admin account credentials.
Once in, setting the admin password to another password and creating yourself an ID are the first two things I always do when setting up a system. Keep the new admin password somewhere secure just in case. Personally, I make the new password an extra-secure 16-24 character random password, verify that it works, write it down on a piece of paper, seal it in an envelope (truly seal, lick it and everything) and give it to someone in HR to keep in a safe for — forgive the pun — safekeeping.
After acknowledging the Welcome screen with recent announcements, new releases of the OS, and other goodies, click OK.
To create your own admin account, go to Device -> Administrators -> Add (at the bottom of the screen) and fill in the mandatory screens:
Administrator Type: Dynamic with the drop-down beneath it set to “superuser”
Click “Ok,” then “commit” the change and your ID is set. At this point, I strongly recommend you log out from “admin” and log in with your newly created user, prior to changing the “admin” password to make life easier on yourself.
Working with your newly created “superuser” account, you can now pull down your licenses. If you’ve already followed all of your steps for setting up your device in Palo Alto Networks’ portal, you should simply need to go to Device -> Licenses -> Retrieve license keys from license server.
One tip — if this doesn’t work, be sure you set up your DNS servers during the configuration of your PA-220’s management interface and that the IP address you specified has internet access. Without either of those, it will make your life MUCH more difficult.
Next, I like to check for my “Dynamic Updates.” Go to Device -> Dynamics Updates -> and click on “Check Now” at the bottom of the screen. Since this is a lab system, I do like to set up all of my dynamic updates to occur not as frequently as a production system, but you are welcome to set this up as you like.
As you set up the times for the downloads, be sure to stagger them so you aren’t trying to download everything at one time. Yes, it isn’t a big deal at 1:15 a.m. and when it’s a home or work lab, but it’s still a good habit to get into.
One “gotcha” detail – until you have an “Application and Threats” version downloaded and installed, an option for “Antivirus” won’t even be listed. After you download and install your first “Applications and Threats” package, click “Check Now” under Dynamic Updates and you will now see an entry for “Antivirus.” Now you can set up “Antivurus” as you did the other dynamic updates.
The last thing I always recommend setting is your time zone on the appliance so your logs match what you expect. To do this, go to Device -> Setup -> Management -> click the gear icon on the General Settings section. From there, set your time zone (and I recommend changing your Hostname, as well, to something more personal). Click “Ok” and then “commit” the change.
You now have a basic PA-220 set up and running. Go ahead now and set up interfaces, zones, etc. and play in your home or work lab!
As a side note, should you ever need to reset a PA-220 to factory defaults, here are the steps:
- From the console’s initial prompt and NOT from the “configure” prompt (#), enter the following command: debug system maintenance-mode
- You will be prompted to reboot the firewall. Confirm with “y” and “Enter.”
- While the system reboots, watch for a prompt that will ask you, “Enter ‘maint’ to boot to maint partition.” At the prompt, type in “maint” and press “Enter.”
- After about five minutes, you should get to a screen that looks like this: Press “Enter” to continue.
- From this next menu, choose "Factory Reset."
- Upon this confirmation screen (see image below), select “Factory Reset” and press “Enter.”
- Your PA-220 is now putting itself back to factory default mode. Be patient while this happens, as it takes several minutes.
- For my PA-220, this took about five minutes. At the end of this time, you will be presented with this screen where you want to choose “Reboot.”
Now it’s just a matter of waiting for the reboot to occur.
Thank you for walking through this with me, and I hope you have as great a time playing with your PA-220 as I have had with mine.
Check out these Fuel blog posts for further reading:
- My Journey to SSL Decryption