Palo Alto NGFW Training Course

In this lesson, we will learn how to configure Palo Alto Networks Firewall Management. Hope, you already know, we have two methods to configure Palo Alto firewall, GUI and CLI. We will use GUI to do Palo Alto Networks Firewall Management Configuration. Here we will configure-

  • Management IP and gateway
  • We will allow management services like SNMP
  • We will restics management access
  • DNS and NTP configuration
  • Hostname, Timezone configuration

Palo Alto Networks Firewall Management configuration

By default, Palo Alto firewall uses Management port to retrieve all the licenses and, update application signature and threats. Because of that, we need internet access on MGT port with proper DNS settings.

By default, Palo Alto has following –

Management IPUsernamePassword
192.168.1.1/24adminadmin

Management IP, Gateway, Services and Restriction

First of all, you need to connect your LAPTOP on MGT interface. Use any IP between 192.168.1.2 – 192.168.1.254. However, if you want to change default MGT IP, then we have to use console cable and change the MGT IP address. Default credential is admin/admin as shown above.

To change/set management IP, we need to do the following.

admin@PA-VM# set deviceconfig system ip-address 192.168.43.100 netmask 255.255.255.0

Another important thing, always make sure to put commit to apply configuration changes.

[edit]
admin@PA-VM# commit

...75%99%.....100%
Configuration committed successfully

[edit]
admin@PA-VM#

Currently device is using self sign certificate. Due to that, it will show a warning in our browser. We need to move forward by allowing it and use default credential to login to the web interface.

Here, we are using default username and password, hence it will show following warning message.

Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.

We need to change the password later. Press OK and continue.

In the dashboard, you will find lot’s of information; like, general information, resource information and different logs. To configure the gateway and dns for the Management interface, you need to go Device >> Setup >> Management >> Management Interface Settings.

Management IP configuration path

We are already using IPv4 address (192.168.43.100) for the device management. So, will put gateway address 192.168.43.1 which is management gateway for all of our devices. By default, SSH, PING and HTTPS is allowed; however additionally we will allow SNMP. In the third section, we have limited device management access from only management IP block (192.168.43.0/24). You need to do this according your network topology.

Management IP configuration details

DNS and NTP

Now, lets add the DNS. To add it, we need to go Device >> Setup >> Services and press gear button.

Change DNS for Palo Alto

We are using Google free dns 8.8.8.8 and 8.8.4.4 here. After changing DNS, we will change our NTP. We will use free Google NTP servers. It’s always best if we can use our own DNS and NTP servers (if have any).

Set DNS config

Set NTP Config

Hostname, Timezone and Banner

Furthermore, you also can change Hostname, Timezone, and Banner for your Palo Alto Networks Firewall. To do that, you need to go Device >> Setup >> Management >> General Settings. After putting all the information, click commit which is available on upper right corner. Confirm the commit by pressing OK.

Our Hostname _ Timezone setup

If our configuration is OK, then we will see commit confirmation just like bellow.

Commit Confirmation

Seems like, we successfully completed management configuration according our plan.

I have a video version of this article. Please have a look –

If you find this article and video useful, share this content. If you have any questions, please feel free to ask.

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 8+ years of experience in multi-vendor environment. In my current position, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

This article has 10 comments

  1. dennis kojo adam Reply

    Thanks so very much Mr. Rajib, for the great job you’re doing in the IT industry.
    bringing out the less privilledge like me out im very much greatfull.
    i always read your post and new comment and learn from it. thanks so much

  2. walid Reply

    Hi Rajib,

    Thank you so much for the great tutorials.

    I have an issue in thr PaloAlto, the LAN computer can only ping the internet 8.8.8.8 but cannot browse web pages.
    i think it’s a dns issue or something related to the policies.
    can you advice please ?

  3. Dennis kojo Adam Reply

    Thanks so very much Sir for your kind help,
    I’m so much grateful. Happy New year to you.

  4. PaloAltoNewbie Reply

    Hi Rajib,

    One quick question. You have set the default gateway of the management interface to 192.168.43.1. Is that a sub-interface that resides on the Palo alto FW or do you have a device in front of the firewall such as a router? I’m trying to setup my management interface and want it to have internet access for updates, services, etc. but since the management interface can’t be assigned to a zone I’m a little confused. Let’s say I’m using the same subnet. Can I simply create a sub-interface of 192.168.43.1 on the Palo Alto and point the default gateway of the management interface at the sub-interface? Wouldn’t it have to be in a security zone to create a sub-interface?

    Thank you!

    • Rajib Kumer Das Reply

      Hi, default gateway will provide internet access on your management link. This interface is out-of-band and it’s only created for management related configuration. You do not need to assign this interface in any zone or sub-interface.

  5. PaloAltoNewbie Reply

    Btw, I forgot to mention I don’t have a router or any device in front of my Palo Alto except the ISP router. It will act as a branch site and be part of a site-to-site VPN. Thanks

    • Rajib Kumer Das Reply

      You need a separate connectivity for management interface and WAN interface. What you can do, connect ISP link to e1/1 interface and then management interface with you LAN switch. All VPN configuration will be with e1/1.

Leave a Comment

Your email address will not be published. Required fields are marked *