Perform Initial Configuration on the VM-Series Firewall

Use these instructions to perform the initial configuration of your VM-Series firewall. By default, the VM-Series firewall uses DHCP to obtain an IP address for the management interface. However, you can assign a static IP address. After completing the initial configuration, access the web interface to complete further configurations tasks. If you have Panorama for central management, refer to the Panorama Administrator’s Guide for information on managing the device using Panorama.
If you are using bootstrapping to perform the configuration of your VM-Series firewall on Hyper-V, refer to Bootstrap the VM-Series Firewall on Hyper-V. For general information about bootstrapping, see Bootstrap the VM-Series Firewall.
  1. Gather the required information from your network administrator.
    • Management port IP address
    • Netmask
    • Default gateway
    • DNS server IP address
  2. Access the console of the VM-Series firewall.
    1. In Hyper-V Manager, select the VM-Series firewall and click Connect from the Actions list.
    2. Log in to the firewall with the default username and password: admin/admin
    3. Enter configuration mode using the following command: configure
  3. Configure the network access settings for the management interface.
    Enter the following commands:
    set deviceconfig system type static
    set deviceconfig system ip-address<Firewall-IP>netmask<netmask>default-gateway<gateway-IP>dns-setting servers primary<DNS-IP>
    where <Firewall-IP> is the IP address you want to assign to the management interface, <netmask> is the subnet mask, <gateway-IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the DNS server.
  4. Commit your changes and exit the configuration mode.
    1. Enter commit.
    2. Enter exit.
  5. Verify that you can view the management interface IP address from the Hyper-V Manager.
    1. Select the VM-Series firewall from the list of Virtual Machines.
    2. Select Networking. The first network adapter that displays in the list is used for management access to the firewall; subsequent adapters in the list are used as the dataplane interfaces on the firewall.
      LIS_mgt_IP.png
  6. Verify network access to external services required for firewall management, such as the Palo Alto Networks Update Server.
    1. Use the ping utility to verify network connectivity to the Palo Alto Networks Update server as shown in the following example. Verify that DNS resolution occurs and the response includes the IP address for the Update server; the update server does not respond to a ping request.
      admin@PA-200 > ping host updates.paloaltonetworks.com
      PING updates.paloaltonetworks.com (10.101.16.13) 56(84) bytes of data. 
      From 192.168.1.1 icmp_seq=1 Destination Host Unreachable 
      From 192.168.1.1 icmp_seq=2 Destination Host Unreachable 
      From 192.168.1.1 icmp_seq=3 Destination Host Unreachable 
      From 192.168.1.1 icmp_seq=4 Destination Host Unreachable  
      After verifying DNS resolution, press Ctrl+C to stop the ping request.
    2. Use the following CLI command to retrieve information on the support entitlement for the firewall from the Palo Alto Networks update server:
      request support
      check 
      If you have connectivity, the update server will respond with the support status for your firewall.
  7. (Optional) Verify that your VM-Series jumbo frame configuration does not exceed the maximum MTU supported on Hyper-V.
    The VM-Series has a default MTU size of 9216 bytes when jumbo frames are enabled. However, the maximum MTU size supported by the physical network adapter on the Hyper-V host is 9000 or 9014 bytes depending on the network adapter capabilities. To verify the configured MTU on Hyper-V:
    1. In Windows Server 2012 R2, open the Control Panel and navigate to Network and InternetNetwork and Sharing CenterView network status and tasks.
    2. Click on a network adapter or virtual switch from the list.
    3. Click Properties.
    4. Click Configure.
    5. On the Advanced tab, select Jumbo Packet from the list.
    6. Select 9000 or 9014 bytes from the Value drop-down menu.
    7. Click OK.
    If you have enabled jumbo frames on Hyper-V, Enable Jumbo Frames on the VM-Series Firewall and set the MTU size to match that configured on the Hyper-V host.
  8. Access the web interface of the VM-Series firewall and configure the interfaces and define security rules and NAT rules to safely enable the applications you want to secure.

Related Documentation