Initial purchase and delivery
Customer buys equipment and licenses
Get hold of equipment and do initial config
Customer portal account setup
Need to get customer to register on
https://support.paloaltonetworks.com/Support/Index
They have to go to Members > Manage Users > add our email as super users
Add firewalls to the portal
Once added we can add the serials of the firewalls
Activate licenses on firewalls
Device -> Licenses
Refresh in top right
Retrieve license key from license server
Activate feature using auth code (auth codes found in email in job folder)
Once we have licenses
Create a rule to allow fw IPs (mgmt and lan) to download updates
applications start with paloalto-
you usually want
device-telemety
logging-service
shared-services
suppt-case
updates
wildfire-cloud
ssl
dns
ntp
google-base (for google dns)
Dynamic updates (AV and apps+threats)
Where possible choose sync to HA
Update wildfire and Apps and threats
Device -> Dynamic updates
Download (sync to ha peer)
Then install
Update PAN software
Where possible choose sync to HA
Device -> Software (check now button)
For example to upgrade to 11.0.1
We first need to download the base package 11.0.0
Then download and install 11.0.1
Often You will have to update dynamic updates first
Check back on Initial Dynamic updates
After config new things appear, make sure things are downloaded and installed and you have schedules setup
Wildfire = realtime
Device Dictionary = N/A
GP clientless VPN = Usually set to none, updates done at customer request
Apps + Threats = every 30 min, download + install, sync to peer
AV = every day, download + install, sync to peer
Setup security profiles
Under objects -> Security profiles
Config
AV
AS
Vuln protection
URL (if needed)
File blocking (use strict profile)
Wildfire
DDos Protection
Refer to other FW's
Once all are configured you can make a group
Under objects -> Security profiles groups
Setup IPS and select all the profiles setup above
Apply the group to your firewall rules
Setup global protect
https://www.youtube.com/watch?v=rfO-9k2gw2M
- Stop password spraying / brute force rule
- Rule1 allow the GP traffic from trusted regions (usually only 1 or 2 needed)
- Source Zone: untrust aka outside
- Source address: IE/GB regions
- Destination zone: untrust aka outside
- Destination address: GP-portal-IP-xxx.xxx.xxx.xxx
- Applications:
- ipsec-esp-udp
- panos-global-protect
- ssl
- web-browsing
- Action: allow / log
- Rule 2: block all other GP connection
- Source Zone: untrust aka outside
- Source address: any
- Destination zone: untrust aka outside
- Destination address: GP-portal-IP-xxx.xxx.xxx.xxx
- Applications: any
- Action: Drop / log
Enable SNMP monitoring
Needs to be done twice because management interface config is not sync
Device -> setup -> operations -> misc -> snmp setup
Device -> setup -> interfaces -> Management -> networks services -> tick "SNMP"
For traps
Device -> Server profiles -> SNMP Trap -> Add
Not sure if you need FW rules but check on it after
Don't forget to commit changes
Make sure you have the config on both active + passive
Initial config
Keep in mind DNS, HA, Timezone, NTP, Service Route settings are not sync'd must be configured manually on each FW so make sure they match.
Block QUIC to force failback to SSL (will be needed for SSL decrypt later) better to do it now.
Enable block for built in palo lists like tor exit nodes and known malicious IPs
Need to untick "application default"
Enable geo block rules in/out
Can have of issues with cloud services, see below
Use palo EDL's to allow access to cloud services
After migration install
- Consider BPA
- Consider SSL decryption
No comments:
Post a Comment