Initial purchase and delivery
Customer buys equipment and licenses
Get hold of equipment and do initial config
Customer port account setup
Need to get customer to register on
https://support.paloaltonetworks.com/Support/Index
They have to go to Members > Manage Users > add our email as super users
Add firewalls to the portal
Once added we can add the serials of the firewalls
Activate licenses on firewalls
Device -> Licenses
Refesh in top right
Retrieve license key from license server
Activate feature using auth code (auth codes found in email in job folder)
Once we have licenses
Create a rule to allow fw IPs (mgmt and lan) to download updates
applications start with paloalto-
you usually want
device-telemety
logging-service
shared-services
suppt-case
updates
wildfire-cloud
ssl
dns
ntp
google-base (for google dns)
Dynamic updates (AV and apps+threats)
Where possible choose sync to HA
Update wildfire and Apps and threats
Device -> Dynamic updates
Download (sync to ha peer)
Then install
Update PAN software
Where possible choose sync to HA
Device -> Software (check now button)
For example to upgrade to 11.0.1
We first need to download the base package 11.0.0
Then download and install 11.0.1
Often You will have to update dynamic updates first
Check back on Initial Dynamic updates
After config new things appear, make sure things are downloaded and installed and you have schedules setup
Wildfire = realtime
Device Dictionary = N/A
GP clientless VPN = Usually set to none, updates done at customer request
Apps + Threats = every 30 min, download + install, sync to peer
AV = every day, download + install, sync to peer
Setup security profiles
Under objects -> Security profiles
Config
AV
AS
Vuln protection
URL (if needed)
File blocking (use strict profile)
Wildfire
DDos Protection
Refer to other FW's
Once all are configured you can make a group
Under objects -> Security profiles groups
Setup IPS and select all the profiles setup above
Apply the group to your firewall rules
Setup global protect
https://www.youtube.com/watch?v=rfO-9k2gw2M
Enable SNMP monitoring
Needs to be done twice because management interface config is not sync
Device -> setup -> operations -> misc -> snmp setup
Device -> setup -> interfaces -> Management -> networks services -> tick "SNMP"
For traps
Device -> Server profiles -> SNMP Trap -> Add
Not sure if you need FW rules but check on it after
Don't forget to commit changes
Make sure you have the config on both active + passive
Initial config
Keep in mind DNS, HA settings are not sync'd must be configured manually on each FW
Enable block for built in palo lists like tor exit nodes and known malicious IPs
Need to untick "application default"
Consider enabling geo block
Can have lots of issues with cloud services
After migration install
- Consider BPA
- Consider SSL decryption
No comments:
Post a Comment