PALO ALTO FIREWALL SETUP

Initial Configuration and Rules

Word document must have a title page at the beginning, your answer to the
scenario & a reference page at the end.
You are the network administrator for company ABC. Your new Palo Alto
firewall has arrived, and you are excited to get it setup and running. Your
company has been experiencing strange activity (probes, etc.) coming from
an IP address 58.218.199.147 on ports associated with DNS, email, web and
remote desktop.
1. You are tasked with setting up your new Palo Alto firewall so that any
traffic that originates from the offending IP address is blocked.
2. You are also tasked with locking down all unused ports. .
3. Your supervisor also wants you to make sure that DNS can only go
between your LAN hosts and the DC1 & DC2 servers (192.168.1.10 &
192.168.1.11).
Create a Microsoft Word document.
Word document must have a title page at the beginning, your answer to the
scenario & a reference page at the end.

> Integrate the Firewall into Your Management Network

Step 1 -Install the firewall and connect power supply (and/or 2 nd power
supply)
Step 2 – Gather the required information including
o IP Address for MGT Port – 192.168.1.1
o Netmask – 255.255.255.0
o Default Gateway 192.168.1.254
o DNS Server Address 192.168.1.10
o Secondary DNS 192.168.1.11
Step 3 – Connect your computer to the firewall
Connect an RJ-45 Ethernet cable to the MGT port, open a browser and
go to the URL https://192.168.1.1
Step 4 – Log in to the firewall with the default username and
password(admin/admin)
Step 5 – Set a new secure password for the admin account following best
practices.
Select Device > Administrators > Admin role > enter the default and
new passwords > click OK
Step 6 – Configure the MGT device
o Select Device > Setup > Interfaces >> Edit the Management
Enterface
o Configure the Address Settings.
 Method A – Static Addresses – Set the IP TYPE to STATIC
and enter the IP address, Netmask, and Default gateway
 Method B – Dynamic IP – Set the IP TYPE to DHCP CLIENT
(after configuring the management interface as a DHCP
Client). – Best practice is to ADD the permitted IP
Addresses that the admin will be using the access the MGT
interface.
o Set the Speed to Auto-Negotiate
o Select which management services to allow on the interface (be
sure Telnet and HTTP are not selected!)
o Click OK
Step 7 – Configure DNS, update the server and Proxy Setting
o Select Device > Setup > Services
 For multi virtual system platforms select GLOBAL and edit
the services section
 For single virtual system platforms, edit the SERVICES
section
o On the Services tab for DNS click one of the following:
o Servers – Enter the Primary DNS server address 192.168.1.10
and Secondary DNS Server Address 192.168.1.11
 DNS Proxy Object – From the drop down menu select
the DNS Proxy that you’ll be using to configure global
DNS services, or click DNS proxy to configure a NEW
DNS Proxy OBJECT
o Click OK
Step 8 – Configure date and time NTP settings
o Select DEVICE > SETUP > SERVICES
  For multi-virtual system platforms select GLOBAL and edit
the services
 For Single virtual system platforms – Edit the ‘Services’
section
o Find the NTP tab >> to used the internet time servers cluster
enter the hostname ‘pool.ntp.org’ as the primary NTP server (or
enter your own NTP server).
o You can optionally enter a 2nd NTP server address
o Optionally – you can authenticate time updates from the NTP
server(s), for ‘Authentication Type’ select one of the following:
 None
 Symmetric Key >> Key ID(1-65534) >>Algorithm (MD5 or
SHA1)
 Autokey (public key cryptography)
o Click OK
STEP 10 – Commit Your Changes
STEP 11 – Connect the Firewall to the Network
 Disconnect the firewall from your computer
 Connect the MGT port to a switch port to a switch port with
the RJ-45 cable.
 Note: The switch port cable to the firewall should be
configured for auto negotiation
STEP 12 – Use Putty or another terminal emulation software to open an SSH
Management session to the firewall using the new IP address assigned to it.
STEP 13 – Verify network access to external services required for firewall
management, such as the PAN Update Server
o If no external network access will be allowed, continue to ‘Setup
Network Access for External Services’ – this way you can set up a
data port to retrieve required service updates.
o If you DO plan to allow external network access, verify that you
have connectivity and proceed to ‘Register the Firewall’ and
‘Activate Subscription Licenses’ with the following steps.
 Use update server connectivity test to verify connectivity
to the PAN update server.
 Select DEVICE > TROUBLESHOOTING > UPDATE
SERVER CONNECTIVITY >> Select the ‘TEST’ drop
down.
 Execute the Server Connectivity Test
  Use the following CLI command to retrieve info on the
support entitlement for the firewall from the PAN update
server.
o Request support
o Check
o IF you have connectivity you will get a status
update for your firewall, If NOT you will see the
following message

SETUP NETWORK ACCESS FOR EXTERNAL SERVICES

REGISTER YOUR FIREWALL USING YOUR EXISTING PAN CUSTOMER

SUPPORT ACCOUNT
STEP 1 – Log in to the firewall web interface using a secure (HTTPS)
connection.
STEP 2 – Sign into your account > Register a Device > Register with
Authorization Code
o Enter your Firewall Serial Number
o (optional) – Enter Device Name and Tag
o (optional) – if the device will NOT have a connection to the
internet select ‘Device will be used offline’
o Enter information about where the device will be deployed
(Address, City, Zip Code, Country)
o Read the User Agreement and ‘Submit’
RECOMMENDED (OPTIONAL BEST PRACTICE) – PERFORM DAY 1
CONFIGURATION

The benefits of Day 1 Configuration templates include:

• Faster implementation tme
• Reduced configuration errors
• Improved security posture

To deal with the IP address that is causing suspicious probes we can block
the entire IP address and/or configure other options. To do this:
CONFIGURE RECONNAISSANCE PROTECTION to BLOCK SUSPICIOUS
URL THAT HAD BEEN PROBING THE NETWORK
There are 4 options to choose from:
o ALLOW – The firewall allows the port scan or host to continue to
sweep reconnaissance
o ALERT – The firewall generates an alert each time the port scan
or sweept takes place ( this is the default action)
o BLOCK – The firewall drops all subsequent packets from the
source to the destination for the remainder of a specified time
interval
o BLOCK IP – The firewall drops all subsequent for the specified
DURATION,(specified in 1-3,600 seconds). Track by determines
whether the firewall blocks source or source and destination
traffic.

STEP 1 – Configure Reconnaissance Protection

 Select Network > Network Profiles >> Zone
Protection
 Select a Zone Profile or ADD a new one and enter a
NAME for it
 On the Reconnaissance Protection Tab, select the
scan types to protect against ( in this case port
3389(remote desktop), ports 80 and 443(HTTP and
HTTPS), ports 53(DNS), and Ports 25, 26, 465, 995,
993, 110 and 143(for SMTP and POP3 ports
encrypted, unencrypted, SSL and TLS email).
 Select and ACTION for each scan, if BLOCK IP is
selected you’ll also need to configure the source,
destination, and duration.
 Set the INTERVAL in seconds to define the number of
port scan events or host sweeps that occur within the
interval configurated.
  Set the THRESHHOLD to determine the number of
port scan events or host sweeps that occur within the
interval configured that triggers an action.

DNS, email, web and remote desktop

If you want to completely block the

questionable IP address you can ‘Create a Security
Policy with a URL Filtering profile.’ Here are the
steps.
 From the Palo Alto Dashboard Web interface Navigate to Policies tab
and select ‘Security’ in the left pane.
 Click Add and Configure the:
o Name> ingress
o Rule type > Universal
o Add tags > ingress
o If you want, you can group the rule by tag also > ingress
o Make a comment > ‘created by Larry Jones 4/27/2022’
o Under the Application Tab > select the ‘Any’ checkbox
 Switch to the Source Tab
o Click Add > select ‘outside’
o In the 2nd(right ) pane click ‘Add’ and enter the questionable IP
address 58.218.199.147
 Switch to the Actions Tab
o Under Action Setting select – Block
o Under Log Setting Select – Log at Session start (to get alerts as
soon as an attempt is made to access the network.
o Click OK
 Your new security rule will now appear under the ‘policies’ tab. Here
you can click on the rule to see and/or change the settings.
 You can view if attempts have been made from that address by looking
at the logs section.

By Default, when a security policy Group is created a ‘Deny ALL’ Rule will be
created, therefore all other traffic except that which is allowed by security
policy rules will be denied.
To allow DNS traffic from your servers and LAN
hosts only
Allow only DNS (port 53) traffic from 192.168.1.10 & 192.168.1.11 to the Lan
Host.
To do this create another Security Policy Rule as outlined above except
‘allow’ the specific URLs, ‘allow’ DNS(port 53) under the applications tab, and
block ‘Any’ other traffic and allow logging. Then add a ‘DENY ANY’ to the rule
(or as an additional rule ) to block all other traffic.

To BLOCK ALL Traffic from any Unused ports…

First, figure out exactly what ports you need, this can be done by viewing
traffic flow logs and/or tcpdump, wireshark or Palo alto logs.

Once you’ve figured out what ports you DON’T need….

To block all unused ports on Palo Alto got to OBJECTS > SERVICES
HERE ARE THE OPTIONS YOU’LL NEED TO CONFIGURE:
o CREATE A NEW RULE
o ADD A DESCRIPTION
o SELECT IF THE SERVICE OBJECT WILL BE SHARED(with other
groups, or virtual systems)
o SELECT THE PROTOCOL (TCP or UDP)
o SELECT THE PORT (OR RANGE OF PORTS) – For both destination
and source ports. – The range here is 0-65535, it is
recommended to close ALL ports except those of essential
common ports, e.g. HTTPS 443(block the insecure port 80
HTTP?..) , DNS 53(unless you have your own DNS server you can
allow it internally ), TCP 110 for email POP3 and Exchange
server, 25 for SMTP email, 67 for DHCP(unless all your machines
have static addresses), 123(windows time). ….
o SELECT THE SESSION TIMEOUT – CHOOSE
 Inherit from Application – application timeout is applied OR
 Override – define a custom timeout for TCP half closed(See
below) or continue to populate the TCP timeout
 o TCP TIMEOUT – Set the timeout after a session has started 1-
604800 seconds (default is 3600seconds)
o TCP HALF CLOSED - Max time open after one side tries to
close session (with FIN or RST packet) – Default is 120 seconds
o TCP WAIT TIME – Maximum time open after two FIN packets.
Default is 15 seconds. Max is 600 seconds
NOTE: Be careful with this setting as blocking thousands of ports
can break a lot of things! But the ‘TCP half closed’ option is helpful for
internet sessions that are established by the host will still be able to
communicate on random ports for the duration of a session.

BEST PRACTICE: It’s also best practice to shut down all unused interfaces
on your switch hardware!

BEST PRACTICE:
To Prevent malicious DNS queries on a global basis, it is
recommended that to setup a DNS Sinkhole External list. There are a
number available dynamically through palo alto subscriptions. Otherwise, if
you have your own list in a text file, it should be hosts in the DNS zone where
it can be referenced. You can set up your sinkhole as follows with
screenshots from my previous homework assignment - Netlab NDG 5 from
the netdevgroup.com in the Green River IT 340 Firewalls class.
NOTE: Palo Alto also has lists of domains that you can add to your
DNS sinkhole list – these are updated regularly and should be added
to your lists!

Configure DNS-Sinkhole External Dynamic List

An External Dynamic List is an object that references an external list of IP
addresses, URLs, or domain names that can be used in policy rules. You
must create this list as a text file and save it to a web server that the firewall
can access. By default, the firewall uses its management port to retrieve the
list items.

1. In the web interface, select Objects > External Dynamic Lists.

2. Click Add to configure a new External Dynamic List.

3. In the External Dynamic Lists window, configure the following and then click
OK.
Parameter Value
Name lab-dns-sinkhole

Type Domain List

Source Type http://192.168.50.10/dns-sinkhole.txt
(This is hosted on the DMZ server.)
Automatically expand to include Select the checkbox
subdomains
Check for updates Five Minute
4. Commit all changes.
5. Click on lab-dns-sinkhole to open the configuration you just created.

6. In the External Dynamic List window, click the Test Source URL button.
7. Confirm that the firewall reports that the source URL is accessible and
click Close. If the firewall reports a “URL access error”, check the source
address, correct any errors, and rerun the test.

8. Back on the External Dynamic Lists window, click Cancel to close it.
9. Leave the firewall web interface open to continue with the next task

1.0 Create an Anti-Spyware Profile with DNS Sinkhole

The DNS sinkhole action provides administrators with a method of identifying

infected hosts on the network using DNS traffic, even when the firewall
cannot see the originator of the DNS query because the DNS server is not on
the internal network.
1. In the web interface, navigate to Objects > Security Profiles > Anti-Spyware and
then click the Anti-Spyware Profile named lab-as.
2. In the Anti-Spyware Profile window, click the DNS Signatures tab. Locate the DNS
Signature Policies box, click Add, and select lab-dns-sinkhole.

3. Verify that the Action on DNS Queries column for lab-dns-sinkhole is set to
sinkhole.
4. Verify that the Sinkhole IPv4 is set to Palo Alto Networks Sinkhole IP
(sinkhole.paloaltonetworks.com) in the DNS Sinkhole Settings box. Click OK to close
the Anti-Spyware Profile configuration window.

5. Commit all changes.

To enable the Free Wildfire Forwarding

> Register the Firewall

> Segment Your Network Using Interfaces and Zones
> Set Up a Basic Security Policy > Assess Network Traffic
> Enable Free WildFire Forwarding
> Best Practices for Completing the Firewall Deployment
> Best Practices for Securing Administrative Access
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000ClIPCA0 https://docs.paloaltonetworks.com/pan-os/8-1/pan-
os-admin/networking/dns/configure-a-dns-server-profile
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/
enable-basic-wildfire-forwarding https://docs.paloaltonetworks.com/pan-os/9-
1/pan-os-admin/networking/dns/use-case-1-firewall-requires-dns-resolution
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000PPdBCAW https://docs.paloaltonetworks.com/pan-os/10-
1/pan-os-admin/threat-prevention/dns-security/enable-dns-security
https://live.paloaltonetworks.com/t5/general-topics/dns-traffic-allowed-for-
one-server-but-dropped-for-another/td-p/68599
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/
configure-url-filtering https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-
admin/url-filtering/how-to-use-url-categories#id60cd6071-aa08-46c4-8a5f-
db39f3fd5bf9
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/security-
policy/security-policy-actions
https://www.reddit.com/r/paloaltonetworks/comments/hdyjnb/
manual_ip_block_list/
https://www.youtube.com/watch?v=e7vBGOZqEf8&ab_channel=JaferSabir
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000ClEhCAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000ClHSCA0
References:
https://social.technet.microsoft.com/wiki/contents/articles/1772.windows-
ports-protocols-and-system-services.aspx
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/
objects/objects-services
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/
application-default
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-
administration/reference-port-number-usage/ports-used-for-management-
functions
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA14u000000HAckCAG&lang=en_US%E2%80%A9
https://rtodto.net/palo-alto-networks-1-initial-configuration/
https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-
site-to-site-vpn-policy-using-main-mode/170504380887908/
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/
integrate-the-firewall-into-your-management-network/perform-initial-
configuration