Identify and configure firewall management interfaces.Palo Alto PCNSA Study Guide v10
- Web Interface
- XML API
All Palo Alto firewalls have a dedicated MGT (management) port on the control plane. This separates the control plane and data plane to safeguard management and to enhance performance.
Initial setup must be done using either the MGT port or serial port.
Some tasks including licensing and updates require the MGT port to have Internet access, or a service route must be configured to the data plane.
- Gather the required information for setup. (IP, Netmask, Default Gateway, DNS Server)
- Connect an Ethernet cable from a computer directly to the firewall MGT port.
- Configure the computer with an IP address in the 192.168.1.0/24 subnet other than 192.168.1.1.
- Navigate to https://192.168.1.1
- Login with the default username of admin and a password of admin. You will be prompted to change this the first time you login.
Four Management Methods
Web Management: The web interface provides configuration and monitoring capabilities. HTTPS is the default method, but insecure HTTP is available, but not recommended.
CLI: The CLI allows for text based configuration and monitoring over Serial, SSH or Telnet. The CLI also offers debugging information. The accounts used for CLI must have CLI enabled.
At first the CLI is in operational mode. This allows for tools like ping, traceroute and show commands. To change the configuration, enter configuration mode by typing configure.
Panorama: Panorama is a Palo Alto Networks centralized management platform. It provides web management of multiple firewalls. Panorama is recommended to help keep consistent policies, especially when you have more than 6 firewalls to manage.
XML API: Provides a REST interface for configuration and monitoring of a firewall. This interface can be used for automation tasks.
Interface Management Profiles
Data plane interfaces can be used as management interfaces. You configure this by using an interface management profile. The profile defines which services (HTTPS, SSH, Ping, Telnet, HTTP, SNMP, Response Pages, and User-ID) are able to be used via the interface that it is attached to. In addition an ACL of allowed management IPs can be applied to this profile. If none is defined, ALL IPs are allowed. If no profile is attached, all management traffic is denied on that port.
Firewall Web Interface
The default view is a dashboard that provides a condensed set of information. The dashboard is customizable with multiple widgets.
- Application widgets
- ACC Risk Factor
- Top Applications
- Top High Risk Applications
- Logs widgets
- Config logs
- Data Filtering logs
- System logs
- Threat logs
- URL Filtering logs
- System widgets
- General info
- Logged in Admins
- System Resources
- Dashboard: Functional information about the firewall
- ACC: Graphically depicts firewall trends
- Monitor: Log visibility and packet captures
- Policies: Security and NAT policies
- Objects: Creation of network, host and other objects
- Network: Configuration of zones, interfaces and other network parts
- Device: Allow system configuration like hostname, and certificates. Configuration backup
Task Icon: appears in the bottom right, displaces tasks since the last firewall reboot including automated and manual tasks like commits
Service Routes: For communication to update servers, DNS, Email and other management external services, routes can be added to allow non-MGT ports to be used. This is done under Device>Setup>Services>Service Route Configuration>Customize
Three services are important for firewall operation and DNS MUST be setup during the initial configuration.
DNS: Domain Name System (DNS) is used by the firewall to resolve hostnames. At least one DNS server must be configured. It is configured under Device>Setup>Services>Services_gear_icon, then click servers and add the primary and secondary DNS server addresses, click ok and then commit.
DHCP: Allows configuration of the IP address for the MGT port via DHCP, not required
NTP: NTP is recommended (or required depending on the documentation) and is configured under Device>Setup>Services>services_gear_icon. NTP keeps the firewall’s clock in sync.