Perform Initial Configuration for an Air Gapped Firewall
Table of Contents
Perform Initial Configuration for an Air Gapped Firewall
Initial configuration procedure for a standalone air gapped next-generation
firewall.
Perform the initial configuration for an air gapped firewall. By default, the
PA-Series firewall has an IP address of 192.168.1.1 and a username/password of
admin/admin. For security reasons, you must change these settings before continuing
with other firewall configuration tasks. Perform these initial configuration tasks
either from the MGT interface, even if you do not plan to use this interface for
your firewall management, or using a direct serial connection to the console port on
the firewall.
The air gapped firewall cannot connect to the Palo Alto Networks update server
because an outbound internet connection is required. To activate licenses, upgrade
the PAN-OS software version, and install dynamic content updates you must upload the
relevant files to the air gapped firewalls manually.
- Gather the required information from your network administrator.
- Private IP address for the management (MGT) port
- Netmask
- Default gateway
- DNS server address
- NTP server address
- Install and power on the firewall.Review your firewall hardware reference guide for details and best practices.
- Connect to the firewall.You must log in using the defaultadminusername. You are immediately prompted to change the defaultadminpassword before you can continue. The new password must be a minimum of eight characters and include a minimum of one lowercase and one uppercase character, as well as one number or special character.You can connect to the firewall in one of the following ways:
- Connect a serial cable from your computer to the Console port and connect to the firewall using terminal emulation software (9600-8-N-1). Wait a few minutes for the boot-up sequence to complete; when the firewall is ready, the prompt changes to the name of the firewall, for examplePA-220 login.
- Log in to the firewall CLI by connecting an RJ-45 Ethernet cable from your computer to the MGT interface on the firewall. From a browser, go tohttps://192.168.1.1.You may need to change the IP address on your computer to an address in the 192.168.1.0/24 network, such as 192.168.1.2, to access this URL.
- (Best Practices) Disable Zero Touch Provisioning (ZTP).ZTP can only be disabled from the firewall CLI. The firewall reboots after you disable ZTP.Continue to the next steps after the firewall has rebooted and you can log back in.
- PA-5400 Series, PA-3400 Series, PA-1400 Series, and PA-400 Seriesadmin>set system ztp disable
- All Other Firewallsadmin>request disable-ztp
Configure the network settings for the air gapped firewall.The following commands set the interface IP allocation tostatic, configures the IP address for the MGT interface, the Domain Name Server (DNS), and Network Time Protocol (NTP) server.admin>configureadmin#set deviceconfig system type staticadmin#set deviceconfig system ip-address <IP-Address> netmask <Netmask-IP> default-gateway <Gateway-IP>admin#set deviceconfig system dns-settings servers primary <IP-Address> secondary <IP-Address>admin#set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP-Address>admin#set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <IP-Address>Register the firewall with the Palo Alto Networks Customer Support Portal (CSP).- Log in to the Palo Alto Networks CSP.
- ClickRegister a Device.
- SelectRegister device using Serial Numberand clickNext.
- Enter the requiredDevice Information.
- Enter the firewallSerial Number.
- Check (enable)Device will be used offline.
- Select the PAN-OSOS Releaserunning on the firewall.
- Enter the requiredLocation Information.
- Enter theCitythe firewall is located in,
- Enter thePostal Codethe firewall is located in,
- Enter theCountrythe firewall is located in.
- Agree and Submit.
- Skip this stepwhen prompted to generate the optionalDay 1 Configurationconfig file.
Download your firewall license keys.The license key files are required to activate your firewall licenses when air gapped.- Log in to the Palo Alto Networks CSP.
- Select and locate the firewall you added.
- Download all license keys files from the download links availableLicensecolumn.You must download a license key file for each license you want to active on the firewall.
Active the firewall licenses.- Select andManually upload license key.ClickChoose Fileto select the license key file you downloaded in the previous step and clickOK.
- Repeat this step to uploaded and activate all licenses.
(Optional) Configure general firewall settings as needed.- Select and edit the General Settings.
- Enter aHostnamefor the firewall and enter your networkDomainname. The domain name is just a label; it will not be used to join the domain.
- EnterLogin Bannertext that informs users who are about to log in that they require authorization to access the firewall management functions.As a best practice, avoid using welcoming verbiage. Additionally, you should ask your legal department to review the banner message to ensure it adequately warns that unauthorized access is prohibited.
- Enter theLatitudeandLongitudeto enable accurate placement of the firewall on the world map.
- ClickOK.
- Commityour changes.
Upgrade the firewall PAN-OS and dynamic content versions.Review the PAN-OS Upgrade Guide and PAN-OS Release Notes for detailed information about your target PAN-OS upgrade version.- Log in to the Palo Alto Networks CSP.
- Download dynamic content updates.
- Select .
- Select the dynamicContent typeyou want to install.
- Downloadthe dynamic content update to your local device.
- Repeat this step to download all required dynamic content updates.
- Download a PAN-OS software update.
- Select .
- For theContent type, select the firewall model. For theRelease type, selectAll(default) orPreferred.
- In theDownloadcolumn, click the PAN-OS version to download the software image to your local device.
- Select andUploadthe dynamic content updates you downloaded.Repeat this step toBrowseand select all the dynamic content release versions.
- Installthe dynamic content updates.
- Select andUploadthe PAN-OS software image you download.
- Installthe PAN-OS software version.The firewall needs to restart to finish installing the PAN-OS software upgrade.
Connect the firewall to your network.- Disconnect the firewall from your computer.
- (All firewalls except for the PA-5450) Connect the MGT port to a switch port on your management network using an RJ-45 Ethernet cable. Make sure that the switch port you cable the firewall to is configured for autonegotiation.
- (PA-5450 only) Connect the MGT port to a switch port on your management network using a Palo Alto Networks certified SFP/SFP+ transceiver and cable.
Verify the air gapped firewall connectivity.- Select .
- Verify the firewall can reach required internal devices.
- ForSelect Test, selectping.
- For theHost, enter an internal IP address to verify the firewall can reach a device in the air gapped network.
- ClickExecuteand wait for the test to complete.Click theTest Resultwhen displayed to review theResult Detailto confirm the firewall can successfully ping the internal device.
- Repeat this step to verify the firewall can reach all required internal devices.
- Verify the firewall cannot reach devices outside of the air gapped network.
- ForSelect Test, selectping.
- For theHost, enter an external IP address to verify the firewall cannot reach devices outside of the air gapped network.
- ClickExecuteand wait for the test to complete.Click theTest Resultwhen displayed to review theResult Detailto confirm the firewall cannot ping the external device.
