Perform the Initial Setup and Configuration for NGFWs (Air Gapped)

1. Gather the required information from your network administrator.

   • Private IP address for the management (MGT) port
   • Netmask
   • Default gateway
   • DNS server address
   • NTP server address
2. Install and power on the NGFW.

   Review your NGFW hardware reference guide for details and best practices.
3. Connect to the NGFW.

   You must log in using the default admin username. You are immediately prompted to change the default admin password before you can continue. The new password must be a minimum of eight characters and include a minimum of one lowercase and one uppercase character, as well as one number or special character.

   You can connect to the NGFW in one of the following ways:

   • Connect a serial cable from your computer to the Console port and connect to the device using terminal emulation software (9600-8-N-1). Wait a few minutes for the boot-up sequence to complete; when the NGFW is ready, the prompt changes to the name of the NGFW, for example PA-220 login.
   • Log in to the NGFW web interface by connecting an RJ-45 Ethernet cable from your computer to the MGT interface on the NGFW. From a browser, go to https://192.168.1.1.
     You may need to change the IP address on your computer to an address in the 192.168.1.0/24 network, such as 192.168.1.2, to access this URL.
4. (Best Practices) Disable Zero Touch Provisioning (ZTP).

   ZTP can only be disabled from the firewall CLI. The NGFW reboots after you disable ZTP.

   Continue to the next steps after the NGFW has rebooted and you can log back in.

   • PA-5400 Series, PA-3400 Series, PA-1400 Series, and PA-400 Series

     admin> set system ztp disable

   • All Other NGFWs

     admin> request disable-ztp

5. Configure the network settings for the air gapped NGFW.

   The following commands set the interface IP allocation to static, configures the IP address for the MGT interface, the Domain Name Server (DNS), and Network Time Protocol (NTP) server.

   admin> configure

   admin# set deviceconfig system type static

   admin# set deviceconfig system ip-address <IP-Address> netmask <Netmask-IP> default-gateway <Gateway-IP>

   admin# set deviceconfig system dns-settings servers primary <IP-Address> secondary <IP-Address>

   admin# set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP-Address>

   admin# set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <IP-Address>

6. Register the NGFW with the Palo Alto Networks Customer Support Portal (CSP).

   1. Log in to the Palo Alto Networks CSP.
   2. Click Register a Device.
   3. Select Register device using Serial Number and click Next.
   4. Enter the required Device Information.

      • Enter the NGFW Serial Number.
      • Check (enable) Device will be used offline.
      • Select the PAN-OS OS Release running on the NGFW.
   5. Enter the required Location Information.

      • Enter the City the NGFW is located in,
      • Enter the Postal Code the NGFW is located in,
      • Enter the Country the NGFW is located in.
   6. Agree and Submit.
   7. Skip this step when prompted to generate the optional Day 1 Configuration config file.
7. Download your NGFW license keys.

   The license key files are required to activate your NGFW licenses when air gapped.

   1. Log in to the Palo Alto Networks CSP.
   2. Select ProductDevices and locate the NGFW you added.
   3. Download all license keys files from the download links available License column.

      You must download a license key file for each license you want to active on the NGFW.
8. Activate the NGFW licenses.

   1. Log in to the firewall web interface.
   2. Select DeviceLicenses and Manually upload license key.

      Click Choose File to select the license key file you downloaded in the previous step and click OK.
   3. Repeat this step to uploaded and activate all licenses.
9. (Optional) Configure general NGFW settings as needed.

   1. Select DeviceSetupManagement and edit the General Settings.
   2. Enter a Hostname for the NGFW and enter your network Domain name. The domain name is just a label; it will not be used to join the domain.
   3. Enter Login Banner text that informs users who are about to log in that they require authorization to access the NGFW management functions.

      As a best practice, avoid using welcoming verbiage. Additionally, you should ask your legal department to review the banner message to ensure it adequately warns that unauthorized access is prohibited.
   4. Enter the Latitude and Longitude to enable accurate placement of the device on the world map.
   5. Click OK.
   6. Commit your changes.
10. Upgrade the NGFW PAN-OS and dynamic content versions.

    Review the PAN-OS Upgrade Guide and PAN-OS Release Notes for detailed information about your target PAN-OS upgrade version.

    1. Log in to the Palo Alto Networks CSP.
    2. Download dynamic content updates.

       1. Select UpdatesDynamic Updates.
       2. Select the dynamic Content type you want to install.
       3. Download the dynamic content update to your local device.
       4. Repeat this step to download all required dynamic content updates.
    3. Download a PAN-OS software update.

       1. Select UpdatesSoftware Updates.
       2. For the Content type, select the NGFW model. For the Release type, select All(default) or Preferred.
       3. In the Download column, click the PAN-OS version to download the software image to your local device.
    4. Log in to the NGFW web interface.
    5. Select DeviceDynamic Updates and Upload the dynamic content updates you downloaded.

       Repeat this step to Browse and select all the dynamic content release versions.
    6. Install the dynamic content updates.
    7. Select DeviceSoftware and Upload the PAN-OS software image you download.
    8. Install the PAN-OS software version.

       The device needs to restart to finish installing the PAN-OS software upgrade.
11. Connect the NGFW to your network.

    1. Disconnect the device from your computer.
    2. (All NGFWs except for the PA-5450) Connect the MGT port to a switch port on your management network using an RJ-45 Ethernet cable. Make sure that the switch port you cable the device to is configured for autonegotiation.
    3. (PA-5450 only) Connect the MGT port to a switch port on your management network using a Palo Alto Networks certified SFP/SFP+ transceiver and cable.
12. Verify the air gapped NGFW connectivity.

    1. Log in to the NGFW web interface.
    2. Select DeviceTroubleshooting.
    3. Verify the NGFW can reach required internal devices.

       1. For Select Test, select ping.
       2. For the Host, enter an internal IP address to verify the NGFW can reach a device in the air gapped network.
       3. Click Execute and wait for the test to complete.
          Click the Test Result when displayed to review the Result Detail to confirm the firewall can successfully ping the internal device.
       4. Repeat this step to verify the NGFW can reach all required internal devices.
    4. Verify the NGFW cannot reach devices outside of the air gapped network.

       1. For Select Test, select ping.
       2. For the Host, enter an external IP address to verify the NGFW cannot reach devices outside of the air gapped network.
       3. Click Execute and wait for the test to complete.
          Click the Test Result when displayed to review the Result Detail to confirm the NGFW cannot ping the external device.