301 lines
7.3 KiB
Plaintext
301 lines
7.3 KiB
Plaintext
# Shortcuts
|
|
# q - Quit
|
|
# ctl + c = run job in background
|
|
# z = clear screen
|
|
|
|
|
|
Reboot from Factory Reset
|
|
# Connect the PA via the console cable
|
|
# Power on
|
|
# When asked to exit the ZTP mode and configur eyour firewall in standard mode, type YES
|
|
|
|
# System Will Reboot, wait 5min
|
|
|
|
# Default Creds: admin:admin
|
|
|
|
console@PaloAlto> configure
|
|
|
|
console@PaloAlto# set deviceconfig system hostname FW-19
|
|
console@PaloAlto# set deviceconfig system ip-address 192.168.1.19 netmask 255.255.255.0
|
|
console@PaloAlto# set deviceconfig system default-gateway 192.168.1.1
|
|
console@PaloAlto# set deviceconfig system dns-setting servers primary 8.8.8.8
|
|
console@PaloAlto# set deviceconfig system dns-setting servers secondary 1.1.1.1
|
|
console@PaloAlto# set deviceconfig system primary-ntp-server ntp-server-address 1.2.3.4
|
|
|
|
console@PaloAlto# commit
|
|
|
|
# Connect the MGT Cable to the PC
|
|
# SSH AND HTTPS now should be open
|
|
|
|
ssh@PaloAlto> show system info
|
|
|
|
# HTTPS
|
|
# Configure Widgets in Dashboard
|
|
# Device tab > Setup
|
|
# Configure this as needed
|
|
# Enable SSH and HTTPS and PING
|
|
|
|
# Device tab > Licences
|
|
# apply the licenses
|
|
|
|
# Device tab > Dynamic Updates
|
|
# Check Now
|
|
# Download and Install Applications and Threats update
|
|
# Download and Install other updates needed
|
|
# After the updates install, the "Antivirus Tab" will reveal after a "Check Now" refresh
|
|
|
|
|
|
ZONES AND L3 INTERFACES
|
|
Zones
|
|
# Network tab > Zones
|
|
# Add
|
|
# Name: Inside
|
|
# Type: Layer3
|
|
# OK
|
|
|
|
# Add
|
|
# Name: Outside
|
|
# Type: Layer3
|
|
# OK
|
|
|
|
Interfaces
|
|
# Network tab > Interfaces
|
|
# ethernet1/1
|
|
# Interface Type: Layer3
|
|
# Config
|
|
# Virtual Router: default
|
|
# Security Zone: Inside
|
|
# IPv4
|
|
# Add
|
|
# 10.10.0.19/24
|
|
# OK
|
|
|
|
# ethernet1/4
|
|
# Interface Type: Layer3
|
|
# Config
|
|
# Virtual Router: default
|
|
# Security Zone: Outside
|
|
# IPv4
|
|
# Add
|
|
# 23.1.2.19/24
|
|
# OK
|
|
|
|
# ethernet1/1
|
|
# Interface Type: Layer3
|
|
# Config
|
|
# Virtual Router: default
|
|
# Security Zone: Outside
|
|
# IPv4
|
|
# Add
|
|
# 24.1.2.19/24
|
|
# OK
|
|
|
|
|
|
# CLICK COMMIT
|
|
|
|
# Plug in the appropriate cables to the appropriate ports
|
|
# Test the connectivity with a ping (make sure the source is defined because default is the MGT port)
|
|
|
|
ssh@PaloALto> ping source 24.1.2.19 host 24.1.2.1
|
|
PASSED
|
|
|
|
ssh@PaloAlto> ping host 24.1.2.1
|
|
FAILED
|
|
|
|
|
|
|
|
DEFAULT IP ROUTES
|
|
|
|
# Display current IP Routes
|
|
ssh@PaloAlto> show routing route
|
|
|
|
# HTTPS
|
|
# Network tab > Virtual Routers
|
|
# Click on default
|
|
# Router Settings
|
|
# Name: Virtual_Router
|
|
# Static Routes
|
|
# Add
|
|
# Name: Default Route A
|
|
# Destination: 0.0.0.0/0
|
|
# Interface: ethernet1/4
|
|
# Next Hop: IP ADDRESS : 23.1.2.1
|
|
# Admin Distance: 10
|
|
# Metric: 10
|
|
# OK
|
|
|
|
# Add
|
|
# Name: Default Route B
|
|
# Destination: 0.0.0.0/0
|
|
# Interface: ethernet1/5
|
|
# Next Hop: IP ADDRESS : 24.1.2.1
|
|
# Admin Distance: 20
|
|
# Metric: 20
|
|
# OK
|
|
|
|
# CLICK COMMIT
|
|
|
|
# Verify the Route was added
|
|
|
|
ssh@PaloAlto> show routing route
|
|
ssh@PaloAlto> ping source 23.1.2.19 host 8.8.8.8
|
|
|
|
# HTTP
|
|
# Device tab > Troubleshooting
|
|
# Test Configuration
|
|
# Select Test: Ping
|
|
# Source: 23.1.2.19
|
|
# Host: 8.8.8.8
|
|
# EXECUTE
|
|
|
|
|
|
|
|
8
|
|
DHCP Services
|
|
|
|
# HTTPS
|
|
# Network Tab > DHCP
|
|
# Interface: ethernet1/1
|
|
# Mode: Auto
|
|
# Lease
|
|
# 🗹 Ping IP when...
|
|
# IP Pools
|
|
# Add
|
|
# 10.10.0.51-10.10.0.99
|
|
# Options
|
|
# Gateway: 10.10.0.19
|
|
# Subnet Mask: 255.255.255.0
|
|
# Primary DNS: 10.10.0.100
|
|
# OK
|
|
|
|
# CLICK COMMIT
|
|
|
|
|
|
|
|
SOURCE NAT CONFIGURATION
|
|
# HTTPS
|
|
# Policies tab > NAT
|
|
# Add
|
|
# General
|
|
# Name: SNAT_in_to_out
|
|
# Original Packet
|
|
# Source Zone: inside
|
|
# Destination Zone: Outside
|
|
# Destination Interface: ethernet1/4
|
|
# Source Address:
|
|
# Name: Subnet 10.10
|
|
# Type: IP Netmask : 10.10.0.0/24
|
|
# Translated Packet
|
|
# Translation Type: Dynamic IP and Port
|
|
# Address Type: Interface Address
|
|
# Interface: ethernet1/4
|
|
# IP Address: 23.1.2.19/24
|
|
# OK
|
|
|
|
# Test the rule
|
|
ssh@PaloAlto> test nat-policy-match from inside to outside source 10.10.0.51 destination 8.8.8.8 protocol 1
|
|
|
|
# HTTP
|
|
# Policies tab > Test Policy Match
|
|
# From: Inside
|
|
# To: Outside
|
|
# Source: 10.10.0.51
|
|
# Destination: 8.8.8.8
|
|
# EXECUTE
|
|
|
|
|
|
|
|
|
|
INITIAL SECURITY POLICY
|
|
# HTTPS
|
|
# Policies tab > Security
|
|
# Add
|
|
# General
|
|
# Name: Inside to Outside
|
|
# Source
|
|
# Source Zone: inside
|
|
# Source Address: Subnet 10.10
|
|
# Destination
|
|
# Destination Zone: outside
|
|
# Destination Address: 🗹 ANY
|
|
# Application
|
|
# 🗹 ANY
|
|
# Service/URL Category
|
|
# 🗹 ANY
|
|
# Actions
|
|
# Action Setting: Action : Allow
|
|
# Log Setting: 🗹 Log at Session End
|
|
# OK
|
|
|
|
# CLICK COMMIT
|
|
|
|
# TEST IT on the host machine by connecting to the internet
|
|
# HTTPS
|
|
# Monitor tab > Traffic
|
|
# Monitor tab > Session Browser
|
|
|
|
|
|
|
|
|
|
DECRYPTION (SSL Forward Proxy)
|
|
# HTTPS
|
|
# Device tab > Certificate Management > Certificates > Device Certificates
|
|
# Export your .cer file from your Certificate Authority Server
|
|
# Import the file (bottom of screen)
|
|
# name the Certificate ( Enterprise_CA )
|
|
# File Format: Base64 (or whatever it is encoded in)
|
|
# Click on the cert
|
|
# 🗹 Trusted Root CA
|
|
# Generate
|
|
# Name: Cert_Fwd_Proxy
|
|
# Common Name: Cert_For_Forward_Proxy
|
|
# Signed by: External Authority
|
|
# 🗹 Certificate Authority
|
|
# GENERATE
|
|
# Click on the generated cert
|
|
# Export Certificate (Bottom)
|
|
# Upload it to the CA Server
|
|
# Generate the Certificate on the CA server
|
|
# Download cert from CA server
|
|
# Copy the name from the request on the PA HTTPS client
|
|
# IMPORT
|
|
# Upload the new .cer file
|
|
# Name: Same name as above
|
|
# Click on the name
|
|
# 🗹 Forward Trust Certificate
|
|
|
|
# Redo above steps to regenerate an "Untrust" Cert
|
|
|
|
# Objects tab > Decryption > Decription Profile
|
|
# Add
|
|
# Name: Decryption_Profile1
|
|
# SSL Decryption
|
|
# 🗹 Block sessions with expired certificates
|
|
# 🗹 Block sessions with untristed issuers
|
|
# 🗹 Block sessions with unspported versions
|
|
# 🗹 Block sessions with unsupported cipher suites
|
|
# 🗹 Block sessions with client authentication
|
|
# SSL Protocol Settings
|
|
# Configure this as needed
|
|
|
|
# Policies Tab > Decryption
|
|
# Add
|
|
# General
|
|
# Name: Decrypt
|
|
# Source
|
|
# Source Zone: inside
|
|
# Source Address: Subnet 10.10
|
|
# Destination
|
|
# Destination Zone: outside
|
|
# Destination Address: 🗹 Any
|
|
# Service/URL Category
|
|
# Service: service-https
|
|
# Options
|
|
# Action: Decrypt
|
|
# Type : SSL Forward Proxy
|
|
# Decryption Profile: Dcryption_Profile1
|
|
# 🗹 Log Successful SSL Handshake (may slow down system)
|
|
# 🗹 Log Unsuccessful SSL Handshake
|
|
# OK
|
|
|
|
# CLICK COMMIT |