Perform Initial Configuration for an Air Gapped Firewall
Focus
Focus

Perform Initial Configuration for an Air Gapped Firewall

Table of Contents

Perform Initial Configuration for an Air Gapped Firewall

Initial configuration procedure for a standalone air gapped next-generation firewall.
Perform the initial configuration for an air gapped firewall. By default, the PA-Series firewall has an IP address of 192.168.1.1 and a username/password of admin/admin. For security reasons, you must change these settings before continuing with other firewall configuration tasks. Perform these initial configuration tasks either from the MGT interface, even if you do not plan to use this interface for your firewall management, or using a direct serial connection to the console port on the firewall.
The air gapped firewall cannot connect to the Palo Alto Networks update server because an outbound internet connection is required. To activate licenses, upgrade the PAN-OS software version, and install dynamic content updates you must upload the relevant files to the air gapped firewalls manually.
  1. Gather the required information from your network administrator.
    • Private IP address for the management (MGT) port
    • Netmask
    • Default gateway
    • DNS server address
    • NTP server address
  2. Install and power on the firewall.
    Review your firewall hardware reference guide for details and best practices.
  3. Connect to the firewall.
    You must log in using the default admin username. You are immediately prompted to change the default admin password before you can continue. The new password must be a minimum of eight characters and include a minimum of one lowercase and one uppercase character, as well as one number or special character.
    You can connect to the firewall in one of the following ways:
    • Connect a serial cable from your computer to the Console port and connect to the firewall using terminal emulation software (9600-8-N-1). Wait a few minutes for the boot-up sequence to complete; when the firewall is ready, the prompt changes to the name of the firewall, for example PA-220 login.
    • Log in to the firewall web interface by connecting an RJ-45 Ethernet cable from your computer to the MGT interface on the firewall. From a browser, go to https://192.168.1.1.
      You may need to change the IP address on your computer to an address in the 192.168.1.0/24 network, such as 192.168.1.2, to access this URL.
  4. (Best Practices) Disable Zero Touch Provisioning (ZTP).
    ZTP can only be disabled from the firewall CLI. The firewall reboots after you disable ZTP.
    Continue to the next steps after the firewall has rebooted and you can log back in.
    • PA-5450, PA-460, PA-450, PA-440, and PA-410
      admin> set system ztp disable
    • All Other Firewalls
      admin> request disable-ztp
  5. Configure the network settings for the air gapped firewall.
    The following commands set the interface IP allocation to static, configures the IP address for the MGT interface, the Domain Name Server (DNS), and Network Time Protocol (NTP) server.
    admin> configure
    admin# set deviceconfig system type static
    admin# set deviceconfig system ip-address <IP-Address> netmask <Netmask-IP> default-gateway <Gateway-IP>
    admin# set deviceconfig system dns-settings servers primary <IP-Address> secondary <IP-Address>
    admin# set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP-Address>
    admin# set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <IP-Address>
  6. Register the firewall with the Palo Alto Networks Customer Support Portal (CSP).
    1. Log in to the Palo Alto Networks CSP.
    2. Click Register a Device.
    3. Select Register device using Serial Number and click Next.
    4. Enter the required Device Information.
      • Enter the firewall Serial Number.
      • Check (enable) Device will be used offline.
      • Select the PAN-OS OS Release running on the firewall.
    5. Enter the required Location Information.
      • Enter the City the firewall is located in,
      • Enter the Postal Code the firewall is located in,
      • Enter the Country the firewall is located in.
    6. Agree and Submit.
    7. Skip this step when prompted to generate the optional Day 1 Configuration config file.
  7. Download your firewall license keys.
    The license key files are required to activate your firewall licenses when air gapped.
    1. Log in to the Palo Alto Networks CSP.
    2. Select ProductDevices and locate the firewall you added.
    3. Download all license keys files from the download links available License column.
      You must download a license key file for each license you want to active on the firewall.
  8. Active the firewall licenses.
    1. Select DeviceLicenses and Manually upload license key.
      Click Choose File to select the license key file you downloaded in the previous step and click OK.
    2. Repeat this step to uploaded and activate all licenses.
  9. (Optional) Configure general firewall settings as needed.
    1. Select DeviceSetupManagement and edit the General Settings.
    2. Enter a Hostname for the firewall and enter your network Domain name. The domain name is just a label; it will not be used to join the domain.
    3. Enter Login Banner text that informs users who are about to log in that they require authorization to access the firewall management functions.
      As a best practice, avoid using welcoming verbiage. Additionally, you should ask your legal department to review the banner message to ensure it adequately warns that unauthorized access is prohibited.
    4. Enter the Latitude and Longitude to enable accurate placement of the firewall on the world map.
    5. Click OK.
    6. Commit your changes.
  10. Upgrade the firewall PAN-OS and dynamic content versions.
    Review the PAN-OS Upgrade Guide and PAN-OS Release Notes for detailed information about your target PAN-OS upgrade version.
    1. Log in to the Palo Alto Networks CSP.
    2. Download dynamic content updates.
      1. Select UpdatesDynamic Updates.
      2. Select the dynamic Content type you want to install.
      3. Download the dynamic content update to your local device.
      4. Repeat this step to download all required dynamic content updates.
    3. Download a PAN-OS software update.
      1. Select UpdatesSoftware Updates.
      2. For the Content type, select the firewall model. For the Release type, select All(default) or Preferred.
      3. In the Download column, click the PAN-OS version to download the software image to your local device.
    4. Select DeviceDynamic Updates and Upload the dynamic content updates you downloaded.
      Repeat this step to Browse and select all the dynamic content release versions.
    5. Install the dynamic content updates.
    6. Select DeviceSoftware and Upload the PAN-OS software image you download.
    7. Install the PAN-OS software version.
      The firewall needs to restart to finish installing the PAN-OS software upgrade.
  11. Connect the firewall to your network.
    1. Disconnect the firewall from your computer.
    2. (All firewalls except for the PA-5450) Connect the MGT port to a switch port on your management network using an RJ-45 Ethernet cable. Make sure that the switch port you cable the firewall to is configured for autonegotiation.
    3. (PA-5450 only) Connect the MGT port to a switch port on your management network using a Palo Alto Networks certified SFP/SFP+ transceiver and cable.
  12. Verify the air gapped firewall connectivity.
    1. Select DeviceTroubleshooting.
    2. Verify the firewall can reach required internal devices.
      1. For Select Test, select ping.
      2. For the Host, enter an internal IP address to verify the firewall can reach a device in the air gapped network.
      3. Click Execute and wait for the test to complete.
        Click the Test Result when displayed to review the Result Detail to confirm the firewall can successfully ping the internal device.
      4. Repeat this step to verify the firewall can reach all required internal devices.
    3. Verify the firewall cannot reach devices outside of the air gapped network.
      1. For Select Test, select ping.
      2. For the Host, enter an external IP address to verify the firewall cannot reach devices outside of the air gapped network.
      3. Click Execute and wait for the test to complete.
        Click the Test Result when displayed to review the Result Detail to confirm the firewall cannot ping the external device.