Now that you have integrated the firewall into your network and enabled the basic security features, you can begin configuring more advanced features. Here are some things to consider next:
Learn about the different
Management Interfaces that are available to you and how to access and use them.Replace the Certificate for Inbound Management Traffic. By default, the firewall ships with a default certificate that enables HTTPS access to the web interface over the management (MGT) interface or any other interface that supports HTTPS management traffic. To improve the security of inbound management traffic, replace the default certificate with a new certificate issued specifically for your organization.
Configure a best-practice security policy rulebase to safely enable applications and protect your network from attack. See
Best Practice Internet Gateway Security Policy for details.
High Availability—High availability (HA) is a configuration in which two firewalls are placed in a group and their configuration and session tables are synchronized to prevent a single point to failure on your network. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. Setting up a two-firewall cluster provides redundancy and allows you to ensure business continuity.
Manage Firewall Administrators—Every Palo Alto Networks firewall and appliance is preconfigured with a default administrative account (admin) that provides full read-write access (also known as superuser access) to the firewall. As a best practice, create a separate administrative account for each person who needs access to the administrative or reporting functions of the firewall. This allows you to better protect the firewall from unauthorized configuration (or modification) and to enable logging of the actions of each individual administrator.
Enable User Identification (
User-ID)—User-ID is a Palo Alto Networks next-generation firewall feature that allows you to create policies and perform reporting based on users and groups rather than individual IP addresses.
Decryption—Palo Alto Networks firewalls provide the capability to decrypt and inspect traffic for visibility, control, and granular security. Use decryption on a firewall to prevent malicious content from entering your network or sensitive content from leaving your network concealed as encrypted or tunneled traffic.
Enable Passive DNS Collection for Improved Threat Intelligence—Enable this opt-in feature to enable the firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for analysis in order to improve threat intelligence and threat prevention capabilities.
Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions.
Threat Prevention The Palo Alto Networks next-generation firewall protects and defends your network from commodity threats and advanced persistent threats (APTs). The firewall’s multi-pronged detection ...
Enable Passive DNS Collection for Improved Threat Intelligence
Enable Passive DNS Collection for Improved Threat Intelligence Passive DNS is an opt-in feature that enables the firewall to act as a passive DNS sensor ...
PAN-OS® Administrator’s Guide
The topics in this site provide detailed concepts and steps to help you deploy a new Palo Alto Networks next-generation firewall, including how to integrate ...
Getting Started The following topics provide detailed steps to help you deploy a new Palo Alto Networks next-generation firewall. They provide details for integrating a ...
Replace the Certificate for Inbound Management Traffic
Replace the Certificate for Inbound Management Traffic When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS ...
Map IP Addresses to Usernames Using Captive Portal
Map IP Addresses to Usernames Using Captive Portal If the firewall receives a request from a security zone that has User-ID enabled and the source ...
Perform Initial Configuration of the Panorama Virtual Appliance
Perform Initial Configuration of the Panorama Virtual Appliance Depending on your platform, use the VMware vSphere Client or vCloud Air web console to set up ...
Set Up Verification for Certificate Revocation Status
Set Up Verification for Certificate Revocation Status To verify the revocation status of certificates, the firewall uses Online Certificate Status Protocol (OCSP) and/or certificate revocation ...
Import a Certificate and Private Key
Import a Certificate and Private Key If your enterprise has its own public key infrastructure (PKI), you can import a certificate and private key into ...
Configure an LDAP Server Profile
Configure an LDAP Server Profile An LDAP server profile enables you to: Authenticate administrators and end users of Palo Alto Networks firewalls and Panorama. Define ...