Palo Alto Lab

Configuring General Settings

Palo Alto Initial Configuration

I have created some simple lab to play with Palo Alto settings and explore more configuration parameters. This lab includes a virtual switch based on VMware software and installed devices. I wanted install Active Directory to have a chance later play with LDAP protocols and user authentication method.

Picture 1 - Palo Alto simple lab setting using VMware workstation and VM series of Palo Alto

This is what you can see from the VMware software window. My virtual lab with installed VM series Palo Alto 9.0 on it. 



Picture 2 - VMware station employed to virtual lab with installed Palo Alto

Changing management interface IP address

The first major thing is to ensure that the management address is set to a static IP address. 

Picture 3 - Applied CLI commands to change IP address for the management interface

In my case, from the VM Series 8.0 the management IP address is set to the default  DHCP and cannot be changed to the static IP. As shown in the picture above, I have changed the management IP address to the static 192.168.1.201/24 and received the success after committed changes. Nevertheless, the changes was not applied as shown in picture below

Picture 4 - Still configured DHCP IP address 192.168.1.61 after changing to static 192.168.1.201

Remember to use the HTTPS protocol to access Palo Alto from the browser interface. Palo Alto uses only the safe protocol 443 for communication with the user. 

Now, I can ping from my desktop to the installed Palo Alto using its management IP address, 192.168.1.61.

I connected with firewall management interface successfully as shown in the picture 5. 

Picture 5 - Pinging to newly installed firewall from my local desktop

However, there is a way to change the DHCP IP address to a static one. We need to login to interface and go to Device tab. There in Setup position we select Management link. See the picture below and follow the step as I did. 

Picture 6 - Change to static IP from admin interface instead of CLI command line

The management interface setting window has a few useful parameters (services) that can be set up. 

I have made changes to the permitted IP addresses for which administrator can access the firewall. 

Picture 7 - Management Interface Settings

Picture 8 - Shown permitted addresses to access the firewall

Do not forget to commit changes using link on the left (picture 9). The changes will not be applied as long as they are not committed by administrator.

Picture 9 - Commit process

Picture 10 - Observed progress of committing changes

Now, I am ready to log in with the new address, 192.168.1.201/24. 

Picture 11 - Firewall login page in the browser

Also, inside the Dashboard tab, I can confirm the changes I made. 

Picture 12 - Firewall Dashboard tab

Configure General Settings of Palo Alto

The next step is to configure the general settings of the firewall. I go to the Device tab, clicking on Settings and Management link. Now, I select the gear icond to access to firewall general settings.

Picture 13 - Palo Alto general settings

On the right, you can see the Palo Alto general settings window. 

Picture 14 - General settings window

We can use the type of DNS service for all DNS queries that the firewall will initiate.

Picture 15 - DNS settings of management interface

Entering the server address of NTP will ensure that firewall clock time will be synchronised to the NTP service. 

Picture 16 - NTP settings

All services can be customised. 

Picture 17 - Customise service route configuration

In the example below, I show how changes can be made for the NTP service. For example I can choose the interface which will be used for the NTP service. 

Picture 18 -Service Route Configuration

Picture 19 - Options for the interface and source IP address change of NTP service