Day 1 Configuration: What Does It Do?
Question
When registering a new device (at the end of the registration process), an optional step prompts you to run Day 1 Configuration.
What does Day 1 Configuration, and what are the advantages of running it?
The Day 1 Configuration tool helps you configure your devices for threat prevention using best practice recommendations from Palo Alto Networks.
Instead of extensive and detailed "how-to" documentation, Day 1 Configuration templates provide an easy-to-implement configuration model that is use case agnostic. The emphasis is on key security elements, such as: dynamic updates, security profiles, rules, and logging that should be consistent across deployments.
Why Use Day 1 Configuration Templates?
Day 1 configuration templates play use common best practice recommendations and compiles them into pre-built Day 1 Configuration templates. These templates can then be loaded into Panorama or a next-generation firewall. Benefits of Day 1 Configuration templates include:
- Faster time to implement
- Reduce configuration errors
- Improve security posture
Day 1 Configuration in Network Security
If you have already registered a device, you can access the Day 1 Configuration tool from Assets > Network Security.
Then, select Day 1 Configuration icon for an NGFW.
Day 1 Configuration in Tools > Run Day 1 Configuration
Or, if you have already registered a device, you can access the Day 1 Configuration tool from Tools > Run Day 1 Configuration.
Day 1 Configuration in Devices
Or, if you have already registered a device, you can access the Day 1 Configuration tool from Devices > Run Day 1 Config.
What Are The Day 1 Configuration Steps?
Day 1 Configuration prompts you to enter an PAN OS version. Specify the same PAN OS version you selected during Device Registration. Also, enter a hostname for your device.
Then, enter IP information and log server information for the device,
NOTE: Please check the caveats in the "Additional information" section below to prepare your device to accept Day 1 Configuration.
Some values have been provided as examples below.
Then, click Generate Config File. The newly generated config file is then downloaded via your browser. If you have downloads blocked, make sure to allow the download or add an exception. Import and load the prepared Day 1 Configuration file onto your firewall.
Note: Day 1 configuration template only supports IPv4. If IPv6 is needed, the configuration must be done by CLI instead of the automated configuration tool. IPv6 can also be configured after the IPv4 configuration using GUI or CLI.
FAQ
Is the Day 1 Configuration a complete deployment configuration?
No. The Day 1 Configuration is a deployment agnostic configuration without interfaces, zones, or "allow" security policies. It is dependent on custom configuration or additional skillets/templates to create a fully deployable config.
How is the Day 1 Configuration related to IronSkillet?
The Day 1 Configuration is based on the IronSkillet full configuration files for the first day of configuration of the software versions selected. The Day 1 Configuration tool utilizes a simplified interface to capture customer specific elements and generate the Day 1 Configuration, which can be imported into the firewall.
How is the Day 1 Configuration related to a Best Practice Assessment (BPA)?
The Day 1 Configuration can be scored by the Best Practice Assessment (BPA) tool, typically landing at 50-60% scores, yellow to green. The BPA then provides recommendations towards an end-state ideal configuration with configurations added beyond day one.
Environment
- Palo Alto Firewall
- Any PAN-OS.
- Registering a new device in the Customer Support Portal (CSP).
- Running the Day 1 Configuration Tool after registering a device.
Additional Information
Before importing the configuration onto your new device, ensure the system has been prepared.
Ensure the firewall is upgraded to the PAN-OS that was selected at the start of the Day 1 configuration process:
Customers can review the preferred maintenance release versions for each major version on Support PAN-OS Software Release Guidance.
Activate subscription for Threat Prevention
Updated application and antivirus content
These steps are required so the recommended features included in the configuration have been activated on the device prior to importing.
NOTE: The Palo Alto Networks provided External Dynamic Lists, for example, are loaded once the device is properly licensed and the first content updates have been installed.
IronSkillet documentation resources:
IronSkillet PAN-OS Overview
IronSkillet PAN-OS Updates
IronSkillet Default Loadable Configuration
IronSkillet Documentation
Additional documentation
The Best Practices Library