Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Mastering Palo Alto Networks
Mastering Palo Alto Networks

Mastering Palo Alto Networks: Build, configure, and deploy network solutions for your infrastructure using features of PAN-OS , Second Edition

eBook
€26.98 €29.99
Paperback
€37.99
Audiobook
€35.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Table of content icon View table of contents Preview book icon Preview Book

Mastering Palo Alto Networks

Setting Up a New Device

In this chapter, we will cover how you can gain access to the console and web interface of a fresh-out-of-the-box firewall appliance or a cleanly staged Virtual Machine (VM). You will learn how to license, update, and upgrade the firewall so that the latest features are available when you start building your security policy, and the latest signatures are always loaded onto the device to protect your users and infrastructure from malware and vulnerability exploits.

We are going to harden your management configuration to ensure a rigid security stance, and we will also look at the different types of network interface modes—aggregated interfaces and routing.

In this chapter, we’re going to cover the following main topics:

  • Gaining access to the user interface
  • Adding licenses and setting up dynamic updates
  • Upgrading the firewall
  • Hardening the management interface
  • Understanding the interface types

By the end of this chapter you’ll be able to quickly set up a fresh firewall, register it, and upgrade it to a desirable level in a short amount of time. You’ll be able to apply best practices and leverage strong authentication for your administrative access, and you will be able to quickly identify which interface configuration will suit any given network topology that the firewall needs to be placed in.

Technical requirements

For this chapter, a basic understanding of network appliances is required as we will be looking at physically connecting to a device, configuring the management environment, and choosing the data plane interface’s deployment mode. Basic knowledge of standing up a virtual appliance in a virtual environment, including connecting it to virtual switches or virtual interfaces and providing it with network access on a hypervisor, is also required.

Gaining access to the user interface

If you are deploying your firewall on a cloud provider like Azure or AWS, take a look at Chapter 14, Cloud-Based Firewall Deployments.

When taking a new device out of the box or setting up a VM on a local hypervisor, such as VMware ESXi, Fusion, NSX, Hyper-V, KVM, and so on, one of the first things you may need to do is to connect a console cable to gain access to the Command-Line Interface (CLI).

Older models only come with an RJ45 console port, so for those you will need a standard DB9-to-RJ45 console cable, optionally patched through a serial-to-USB cable so a modern laptop is able to interface with the port. The pinout for the DB9 should be as follows:

1 - Empty - Data Carrier Detect (DCD)
2 - 3 - Receive Data (RXD)
3 - 6 - Transmit Data - (TXD)
4 - 7 - Data Terminal Ready (DTR)
5 - 4 - Ground (GND)
6 - 2 - Data Set Ready (DSR)
7 - 8 - Request To Send (RTS)
8 - 1 - Clear to Send - (CTS)
9 - Empty - Ringing Indicator (RI)

Luckily there are USB-to-RJ45 cables available as well that will save you the trouble of figuring out the correct pinouts.

Figure 2.1: RJ45-to-USB console cable

All but the very old models also come with a micro-USB port, which allows a console connection to be made using a standard USB-A-to-micro-USB cable, as in the following picture:

Figure 2.2: PA-460 RJ45 and the micro USB console ports

In all cases, you will need to find which COM or TTY port is being used on your computer’s operating system.

On a Windows machine, the first time you plug in the cable a driver may need to be installed. Once the installation has completed you need to find the virtual COM port number that has been assigned to the console cable. In most cases, you can determine this virtual COM port number by following these steps:

  1. Open the Device Manager.
  2. Click Start | Control Panel | Hardware and Sound | Device Manager (under “Devices and Printers”).
  3. In the Device Manager list, look in Ports and find the virtual COM port assigned to the USB port. This entry will look similar to “USB to Serial Port (COM#)” where COM# is the number to be used in the following step.

Once you’ve determined the appropriate COM#, you will need a terminal emulation client to connect to the console. You can use a free client for this, such as PuTTY from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html.

Besides the COM port, you may need to provide more settings to be able to connect. If asked, use these settings:

Bits per second: 9600         
Data Bits: 8     
Parity: none               
Stop bits: 1 
Flow control: none            

On macOS and Linux, a USB serial connection will usually create a new tty (TeleTYpewriter) entry in the /dev/ directory; a USB-to-DB9 dongle may create a Call-Up (CU) entry in the /dev/ directory.

Find the proper device by searching with either of these commands:

ls /dev/tty.*
ls /dev/cu.*

You will find /dev/cu.usbserialxxxxx or /dev/tty.usbmodemxxxxx, where xxxxx is the serial device name.

Once you determine the appropriate device, you can connect to the console port by using the screen command set to 9600 bits per second:

screen /dev/tty.usbmodemxxxxx 9600

Now, go ahead and connect the console cable or micro USB to your laptop and appliance. If you have a port free on your management network, go ahead and connect the firewall’s MGT port to the switch. If you don’t have a management connection available yet, you will need to connect your laptop directly to the MGT port for easier access once the IP is set up on the management interface. Lastly, plug in the power cable.

If the firewall is loaded in a VM or cloud entity, hit the Start button to boot up the virtual appliance.

Once you’ve logged on to the console, you will see the operating system boot up, and if the firewall is already connected to a DHCP-enabled management network, you will see something similar to the following, where the DHCP address is already listed for your convenience:

Figure 2.3 – PA-VM post-boot DHCP information

Figure 2.3: PA-VM post-boot DHCP information

If you missed this information, you can log on and use the following command to see the DHCP information:

admin@PA-220> show system info
hostname: PA-220
ip-address: 192.168.27.116
public-ip-address: unknown
netmask: 255.255.255.0
default-gateway: 192.168.27.1
ip-assignment: dhcp

If, for some reason, you have not received a DHCP address yet from your DHCP server, you can initiate a renew action from the CLI by using a > request dhcp client management-interface renew command.

Important note

The default username and password for a factory settings appliance or VM are as follows:

Username: admin

Password: admin

The first time you log on, you will be asked to change this default password.

If your network does not have a DHCP server, or you connected the firewall directly to your laptop, you will need to set an IP address manually. Copy and paste the following sheet into a text file and alter the <IP> entries with the appropriate IP for your management interface, the default gateway it will use to reach out to the internet, and the DNS servers it will use to resolve the domain names. Type the netmask in quad decimals, not in CIDR (slash notation subnet, such as /16 and /24):

configure
set deviceconfig system type static
set deviceconfig system ip-address <IP>
set deviceconfig system netmask <x.x.x.x>
set deviceconfig system default-gateway <IP>
set deviceconfig system dns-setting servers primary <IP>
set deviceconfig system dns-setting servers secondary <IP>
commit

You can chain set commands that belong in the same path and class so that you do not need to set each attribute in individual set commands; instead, you can add all the desired settings all at once. In the next example, I went into configuration mode, switched the management interface from DHCP to static configuration, and then combined all the configuration parameters for the management interface into one set command. Start by changing the default password to a new one, and then add the interface configuration:

admin@PA-220> set password
Enter old password :
Enter new password :
Confirm password   :
Password changed
admin@PA-220> configure
Entering configuration mode
[edit]                                                        
admin@PA-220# set deviceconfig system type static
[edit]                                                                                                            admin@PA-220# set deviceconfig system ip-address 192.168.27.5 netmask 255.255.255.0 default-gateway 192.168.27.1 dns-setting servers primary 1.1.1.1 secondary 1.0.0.1
[edit]                                                                                                            admin@PA-220# commit
Commit job 2 is in progress. Use Ctrl+C to return to command prompt
...........................................55%....75%.....98%.......................100%
Configuration committed successfully
[edit]
admin@PA-220#

You may need to log back in after running the commit statement as the admin password was changed.

Important note

The > prompt in username@hostname> indicates that you are in operational mode and can execute runtime commands. The # prompt in username@hostname# indicates that you are in configuration mode and can add configuration parameters.

Operational commands can be run from config mode by prefixing run to a command—for example, user@host# run show clock.

Once the commit job finishes, you will be able to connect to the web interface through https://<IP> or by using an SSH client, such as PuTTY or the ssh command in Linux or macOS.

You are now able to get onto a freshly started firewall and configure it, so we can move on to the next step and gain access to the web interface.

Connecting to the web interface and CLI

Now that your device has an IP address, you can connect to its web interface via any browser using https://<IP>.

You will be met with an unfriendly error message, as in the following screenshots. This is due to the web interface using a self-signed certificate that has not been validated by any authority. For now, this can be safely ignored:

Figure 2.4 – Certificate warnings in Chrome and Firefox

Figure 2.4: Certificate warnings in Chrome and Firefox

An SSH client will provide you with a slightly friendlier question:

tom$ ssh -l admin 192.168.27.115
The authenticity of host '192.168.27.115 (192.168.27.115)' can't be established.
RSA key fingerprint is SHA256:Qmre8VyePwwGlaDmm6JTYtjou42d1i/Ru6xZmmEk8Yc.
Are you sure you want to continue connecting (yes/no)?

The SSH connection will provide you with mostly the same user experience as the console connection, but SSH is more responsive and secure, and you can now access your device from anywhere on the management network.

The web interface provides you with a whole new user experience. When prompted for your username and password, input the default admin/admin combination or the username and password you created on the cloud provider.

Once you are logged in, the first screen you will see is the dashboard, which contains some general information about the health of your system, config changes, and which admins are logged on. The dashboard can be customized and additional widgets can be added from a list of prepared widgets, or widgets can be removed if they are not relevant.

For now, the General Information widget contains the most important information as you will need the serial number of the physical device, or the CPU ID and UUID on a virtual device, as shown in the screenshot below. The CPU ID and UUID will be needed to register and activate the VM while a physical device can be activated by its serial number:

Figure 2.5 – On the left is a PA-220 device, and on the right is a PA-VM device

Figure 2.5: On the left is a PA-220 device, and on the right is a PA-VM device

Now that you have access to the web interface and are able to collect the system’s base information, we can go ahead and register the firewall and activate any of the feature licenses that were purchased. We will now have a look at how to perform the registration and licensing procedures.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Understand how to optimally use PAN-OS features
  • Build firewall solutions to safeguard local, cloud, and mobile networks
  • Protect your infrastructure and users by implementing robust threat prevention solutions

Description

Palo Alto Networks’ integrated platform makes it easy to manage network and cloud security along with endpoint protection and a wide range of security services. This book is an end-to-end guide to configure firewalls and deploy them in your network infrastructure. You will see how to quickly set up, configure and understand the technology, and troubleshoot any issues that may occur. This book will serve as your go-to reference for everything from setting up to troubleshooting complex issues. You will learn your way around the web interface and command-line structure, understand how the technology works so you can confidently predict the expected behavior, and successfully troubleshoot any anomalies you may encounter. Finally, you will see how to deploy firewalls in a cloud environment, and special or unique considerations when setting them to protect resources. By the end of this book, for your configuration setup you will instinctively know how to approach challenges, find the resources you need, and solve most issues efficiently.

Who is this book for?

The book is for network and security professionals, and administrators who want to bring in the power of Palo Alto Networks and firewalls to secure their networks. Engineers should have a good grasp of networking and routing protocols, basic knowledge of stateful or next-generation firewalls is helpful but not required.

What you will learn

  • Explore your way around the web interface and command line
  • Discover the core technologies and see how to maximize your potential in your network
  • Identify best practices and important considerations when configuring a security policy
  • Connect to a freshly booted appliance or VM via a web interface or command-line interface
  • Get your firewall up and running with a rudimentary but rigid configuration
  • Gain insight into encrypted sessions by setting up SSL decryption
  • Troubleshoot common issues, and deep-dive into flow analytics
  • Configure the GlobalProtect VPN for remote workers as well as site-to-site VPN

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 08, 2022
Length: 636 pages
Edition : 2nd
Language : English
ISBN-13 : 9781803233246
Concepts :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Product Details

Publication date : Jun 08, 2022
Length: 636 pages
Edition : 2nd
Language : English
ISBN-13 : 9781803233246
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 178.97
Mastering Palo Alto Networks
€37.99
Securing Remote Access in Palo Alto Networks
€36.99
Mastering Palo Alto Networks
€103.99
Total 178.97 Stars icon

Table of Contents

17 Chapters
Understanding the Core Technologies Chevron down icon Chevron up icon
Setting Up a New Device Chevron down icon Chevron up icon
Building Strong Policies Chevron down icon Chevron up icon
Taking Control of Sessions Chevron down icon Chevron up icon
Services and Operational Modes Chevron down icon Chevron up icon
Identifying Users and Controlling Access Chevron down icon Chevron up icon
Managing Firewalls through Panorama Chevron down icon Chevron up icon
Upgrading Firewalls and Panorama Chevron down icon Chevron up icon
Logging and Reporting Chevron down icon Chevron up icon
Virtual Private Networks Chevron down icon Chevron up icon
Advanced Protection Chevron down icon Chevron up icon
Troubleshooting Common Session Issues Chevron down icon Chevron up icon
A Deep Dive into Troubleshooting Chevron down icon Chevron up icon
Cloud-Based Firewall Deployment Chevron down icon Chevron up icon
Supporting Tools Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9
(37 Ratings)
5 star 89.2%
4 star 10.8%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




PANW SE Jul 20, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is a great resource complementary to Palo Alto Networks' own TechDocs. It provided great screenshots and explanations of the UI and I will be saving it as a resource when I run into issues with my own customers on the field. Thank you for the opportunity to read and review this book.
Amazon Verified review Amazon
Wayne White, CTO Jul 22, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I have worked with Tom in the past and I always knew he was very knowledgeable. After reading this book it also was apparent that Tom has a gift of simplification as it relates to passing on his knowledge to the reader who may know nothing of Palo Alto Networks Products.
Amazon Verified review Amazon
David Maynard Jun 08, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Another, well-thought-out book covering Palo Alto Networks Firewalls. Layed out in an easy-to-follow, informative manner. This book is a must-have for anyone starting out, or with advanced knowledge of Palo Alto Networks Firewalls to have on hand. Hopefully, Tom can include in future books more cloud architectures, covering the latest features for VM-Series like VMFLEX(NGFW Credits), Transit(hub&spoke), GWLB) and CN-Series for container security in Kubernetes.
Amazon Verified review Amazon
Kalpesh Dec 05, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Tom Piens’ Mastering Palo Alto Networks is a phenomenal guide to Palo Alto Networks PAN-OS based NGFWs. Tomhas put very hard efforts to make the book and contnet very very simple so that a begineer can easyly go through it and become a master of Palo alto device.The conbination of GUI and cli will clear all your confusion regarding any topic. Starting from the crash to build new device is explained extremely easy way. I gone through the whole book. As I had mid-level experience with palo. A chapter troubleshooting common session issue and deep dive into troubleshooting are explained. I am sure this chapter will enhance the troubleshooting skill of an engineer in a terrific way.A must recommended and a book that must be on your desk if you are working on the palo alto device. I personally always keep this book on my desk. Thank you Tom piens for this book.
Amazon Verified review Amazon
Felix martinez Jun 14, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
My biggest takeaway from this book is the fact that along with showing how to configure and traverse the Palo Alto firewall, I was shown what the best practices are and guidance in troubleshooting techniques. This book is an one stop shop on everything Palo Alto firewall related and by the end you will have mastered it. I work with PANW NGFW's on a daily basis and this is going to be a great resource for me to have.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.