Getting Started Video - Setting Up Your Firewall

Getting Started Video - Setting Up Your Firewall

Created On 09/26/18 13:44 PM - Last Modified 01/20/20 12:52 PM

I've unpacked my firewall, now what?

After unboxing your brand new firewall, or after a factory reset, the device is in a blank state with nothing but the minimum configuration and a software image that's installed in the factory. Where do you go from here? Our first installment in the new "Get Started" series guides you through the very first stages of preparing your firewall for operation.


We'll be taking a look at how to connect to the firewall for the first time, how to set up licenses so you can download new software and content, and how to prepare your first security policy.

The first thing you'll want to configure is the management IP address, which makes it easier to continue setting up your new device later on.

1. Initial setup

The two methods available to connect to the new device is either using a network cable on the management port or an ethernet-to-db-9 console cable.

  • When using the management port, the workstation you'll be using must be reconfigured so its network interface has an IP address in the IP range, as the default IP of the management port will be
  • When using a console cable, set the terminal emulator to 9600baud, 8 data bits, 1 stop bit, parity none, VT100. If you use PuTTY, it should come with the appropriate configuration if connection type is set to Serial.

After preparing the cables and the workstation, plug the unit into an electrical outlet and watch the firewall boot up.

The console outputs the boot sequence:

           Welcome to PanOS
Starting udev: [  OK  ]
Setting clock  (utc): Wed Oct 14 11:10:53 PDT 2015 [  OK  ]
Setting hostname 200:  [  OK  ]Checking filesystems:
   Running filesystem check on sysroot0: [  OK  ]
   Running filesystem check on pancfg: [  OK  ]
   Running filesystem check on panrepo: [  OK  ]
[  OK  ]
Remounting root filesystem in read-write mode:  [  OK  ]
Enabling /etc/fstab swaps:  [  OK  ]
INIT: Entering runlevel: 3
Entering non-interactive startup
Starting Networking: [  OK  ]
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]

After the device is booted, a login prompt is displayed in the console connection and SSH or SSL connections can be made to

We'll highlight the console and SSH in step 1.1. and the Graphical User Interface (GUI) in step 1.2.

1.1. Console and SSH connection

The default username and password are admin / admin, so we'll go ahead and log in to reveal the CLI. From here, we'll start setting up the proper IP address and subnet for the device, and the default gateway and DNS settings, so the unit can collect updates later.

login as: admin
Using keyboard-interactive authentication.
Last login: Wed Oct 14 11:57:16 2015 from
Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.
admin@PA-200> configure
Entering configuration mode
admin@PA-200# set deviceconfig system ip-address netmask default-gateway dns-setting servers primary

Use the commit command to apply the new settings to the system. 

admin@PA-200# commit

Configuration committed successfully


At this point, you'll lose SSH and SSL access to the device, as the IP address was changed and the management service restarted to adopt these changes. Now you need to reconnect to the new IP address—please skip to step 1.3.

1.2. Web interface initial setup

When making your first connection to the web interface, your browser may display an error message. This is because the certificate used by the web interface is a self-signed certificate your browser does not trust. You can safely ignore the error message at this time, which then takes you to the login screen:

Log in, using the default username and password admin / admin.

Navigate to the Device > Setup > Management, where you can change the Management Interface Settings:
  • Change the interface configuration and click OK.
  • Next, select the Services tab and configure a DNS server.
  • Apply changes to the device, click the Commit link at the top right: 
After the commit completes, the browser eventually times out as the IP address has changed, so you'll need to manually change the address in the address bar to reconnect to the new IP.

1.3 Finishing up the first step

The firewall is now configured with a proper IP address to work in your LAN network, so go ahead and connect the cables:
  • Connect Interface 1 to the router
  • Connect Interface 2 to the switch
  • Connect the Management (mgmt) interface to the switch
You should be able to connect to the management IP from the network, and you should be able to surf out to the Internet.

2. Preparing the licenses and updating the system

To be allowed to download content and application updates or software upgrades, the system needs to be licensed. Various licenses control the different functions of the system, so the -
  • Support license entitles the system to software and AppID updates
  • ThreatPrevention license adds virus, threats and malware signatures
  • URL license enables URL categories for use in security policies
If the device has not been registered on the support portal yet, please follow these steps to register the device: How to Register a Palo Alto Networks Device, Spare, Traps, or VM-Series Auth-Code

Navigate to the Device tab and select Licenses from the left pane:
  • If the device has been registered using the above method and auth codes have already been added, go ahead and select Retrieve License keys from license server.
  • If the device was registered but no licenses added yet, select Activate feature using authorization code to activate a license through its authorization code, which you will have received from your Palo Alto sales contact.

Now you're ready to start updating the content on this device, so navigate to the Device > Dynamic Updates.

2.1 Updating content

The first time this page opens, there will be no visible packages for download. The system will first need to fetch a list of available updates before it can display which ones are available, so select Check Now.

When the system retrieves a list of available updates, the Applications and Threats package becomes available. You may notice the AntiVirus package is missing. It appears only after downloading and installing the Applications and Threats Package.

After the package is downloaded, go ahead and install it on the system.

When the Applications and Threats package has been installed, run another Check Now to retrieve the Antivirus package.

Now download and install the Antivirus package just like you did with the Applications and Threats package.

2.2 Setting a schedule

With these tasks completed, this is a good time to set a schedule for every package to be automatically downloaded and installed at a time that's convenient for you. Content updates can be installed during production and don't interrupt existing sessions, so it's safe to apply updates during the day. However, most organizations opt to perform updates during the night or off-hours to minimize risk.

Set a schedule by clicking the timeframe next to the schedule.

After setting the appropriate schedules, commit the change.

2.3 Upgrading the system

After the commit completes, go ahead and upgrade the system to a more recent PAN-OS in case the unit is installed on an older OS.

Navigate to the Device > Software. The first time you access this tab, a popup displays No update information available, because the system has no previous contact with the update server and doesn't know which updates are available. Go ahead and close this popup, then select Check Now.

Check out the BEST PRACTICES GUIDE FOR PAN-OS UPGRADE for more information on how to upgrade your device properly.

3. Preparing security profiles

The system comes preloaded with a default security profile in each category.

For now, you'll start the configuration with these default profiles, except for URL filtering. Navigate to the Objects Tab, select Security Profiles > URL Filtering and add a new URL filtering profile.

In this first custom URL filtering profile, start by setting all actions to alert rather than allow, as the allow action doesn't create a URL filtering log entry. Set actions to alert to gain some insight into the kind of web browsing happening on the network.

All other default profiles should already provide sufficient coverage for network security and for offensive sessions to become visible in the appropriate logs. Next up, you'll prepare the group of unwanted applications.

4. Applications

After downloading update packages, the firewall contains a lot of applications you can use to create security policy, but these applications also come loaded with useful metadata to create groups of applications based on their behavior, called an application filter. Rather than having to manually add applications to a group and keep the list current, the application filter automatically adds new applications that match a certain behavior to the application filter, enabling the security policy to take appropriate action.

Create an application filter with undesirable behavior for the first policy. Go to the Objects tab, then select Application Filters.

As an example, you'll create an application filter called peer-to-peer, where you add all applications that match Subcategory file-sharing and Technology peer-to-peer.

Now you're ready to set up your first security policy and look at the logs, but first, let's take a quick detour to look at the network configuration.

5. Network configuration

If you navigate to the Network tab and look at Interfaces, you see that interfaces 1 and 2 are both set up as Virtual Wire, or vwire, and are both added to the default-vwire.

A vwire has some interesting advantages over other types of interface configurations: it is considered a bump-in-the-wire, which requires no IP address on the interface and no routing configuration. It can simply be plugged in between your router and switch to start passing traffic. We'll cover other interface types in upcoming articles, but for now, let's stick with the vwire configuration.

6. Security policy and logging

Now that you've prepared your device, let's look at the security policies and set up an initial configuration that allows good traffic to go out and bad traffic to be blocked.

The initial security policy simply allows all outbound traffic, without inspection. There are two default rules that allow intrazone and block interzone traffic. We'll zoom in on these last two in an upcoming session as they are not currently relevant to the vwire.

Start by editing rule1 and make it the 'bad applications' block rule:

  • Leave the source and destination as they are.
  • Under Application > Application Filter, select peer-to-peer. It helps to type the name of the application or group you want to addno need to scroll through all the applications:
  • Under Actions, set the action to Deny as you don't like peer-to-peer, and click OK.
Next, you'll create a security policy to allow everything else out. We recommend you add applications to the 'allow' rule later, but for now, let's block only the applications we know we don't like and allow the rest, so you can gain visibility into what kind of traffic is passing onto the Internet and decide if you want to block more applications down the line.
  • Under Source, select trust as the source zone associated with Interface 2, which is connected to the LAN switch.
  • Under Destination, select untrust as the zone associated with Interface 1 and connected to the Internet router.
  • Leave the applications as Any for now. 
  • Under Actions, you'll add security profiles to enable scanning of outgoing connections for malicious content or to apply URL filtering to browsing sessions.
Make sure the Internet-access policy is positioned below the bad-applications-block policy, as the security policy is processed top to bottom for every new connection, and the first positive match applies. If the bad-applications-block policy is located below the Internet-access rule, peer-to-peer applications will be allowed.

Now go ahead and commit these changes and navigate to the Monitor tab. When the commit operation completes, the logs start filling up with interesting traffic, URL, and threat information, if any infections are detected.

I hope you enjoyed this video. Please feel free to leave a comment and check out our other episodes in the getting started series.



Tom Piens

Additional Information
Day 1 Configuration: What Does It Do ?

When registering a new device at the end of the registration process, an optional new step appears, requesting you to run a Day 1 Configuration.

What does this step do and what are the advantages of running it?

The Day 1 Configuration tool helps build a sturdy baseline configuration by providing templates that introduce best practice configuration as a foundation on which the rest of the configuration can be built.

The configuration templates are based on existing best practice recommendations from Palo Alto Networks.

Instead of extensive and detailed "how-to" documentation, the Day 1 Configuration templates provide an easy-to-implement configuration model that is use-case agnostic. The emphasis is on key security elements, such as: dynamic updates, security profiles, rules, and logging that should be consistent across deployments.


  • Print
  • Copy Link

Choose Language