Set Off on the Right Foot
Although we at Mode44 are waiting in the wings to help with the initial configuration of your Palo Alto Networks devices or cloud services, it may be useful to have a useable, practical video guide to assist with the configuration, as well as a proven check list of configurations that have to be made to ensure initial functionality and access to resources without adding any unintended security issues, or rules that could later become a problem to remove.
Any Any Rules take seconds to implement and possibly years to remove
The ANY ANY Rule
The dreaded Any Any rule is often put in to provide connectivity quickly and ensure that firewall is implemented with as little loss of production or user interruption as possible and indeed does serve that purpose very well, however it does have several ramifications that can become an issue later on in the lifecycle of the device when you are looking to create a stronger security policy, as well as masking applications that may be critical to the organisation which are allowed to connect based on the Any Any rule but then stop working as other rules are put in place to tighten up the Rulebase.
Simple Checklist
- Normally you would use a Static IP to manage the firewall, the first step is to ensure that your IP is static and that management interface has the correct network configuration.
- Under Services, add your DNS server settings and optionally the NTP settings, I would use public for both i.e. 8.8.8.8 and time.google.com as a minimum
- Commit the configurations, on 10.0 and above (which most will be reading this) you will have already changed the admin password as it is a required step, this step will also commit that change.
- Next under Device and Licenses, using the authkey you received from Palo activate your device.
- Once licensed and the firewall can reach the Palo Alto CSP under dynamic updates, click check now and download the APP and Threat updates first.
- Once APP and Threat is complete install these using the install button, Anti-Virus will then be available when you click check now again.
- Create your Zones under Network, Zones
- Use your new Zones to create your first Security polices, remember try and avoid the dreaded ANY ANY rule, you will most likely need a NAT rule, both can be configured under Policies TAB.
- Suggested action is to use the pre-configured security profiles in your rule to provide the best "out of the box" security
- Under Virtual routers you will see a default router you need to add your interfaces in here and then put a static route in for the default route pointing to you external interface and using the IP of your service provider
- Commit the config
The above list is a very simple checklist of the most used basic configurations, I have compiled a playlist on the YouTube channel that goes through the step by step configuration of palo alto firewalls, please head over there for a more in depth walkthrough, the link opposite takes you to the first in the series.
Any questions, simply get in touch or leave a comment asking, currently we are replying fairly quickly to both.
